23542300x800000000000000051235Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:49:32.462{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DEE93B9CE5CC43011D2B8B3946A07821,SHA256=E02B3F81EA243F7608D158E6F65FCA30B29251D93D00040E4CE1B2B0F937FAE4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000273924Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:32.902{F81F30E6-D98B-62DF-3600-000000006F02}31323152C:\Windows\system32\conhost.exe{F81F30E6-F0EC-62DF-0F04-000000006F02}7044C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273923Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:32.902{F81F30E6-D97C-62DF-0C00-000000006F02}8526024C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273922Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:32.902{F81F30E6-D97C-62DF-0C00-000000006F02}8526024C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273921Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:32.902{F81F30E6-D97C-62DF-0C00-000000006F02}8526024C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273920Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:32.902{F81F30E6-D97C-62DF-0C00-000000006F02}8526024C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273919Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:32.902{F81F30E6-D97A-62DF-0500-000000006F02}412540C:\Windows\system32\csrss.exe{F81F30E6-F0EC-62DF-0F04-000000006F02}7044C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000273918Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:32.902{F81F30E6-D98A-62DF-2E00-000000006F02}27803956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F81F30E6-F0EC-62DF-0F04-000000006F02}7044C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000273917Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:32.903{F81F30E6-F0EC-62DF-0F04-000000006F02}7044C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F81F30E6-D97A-62DF-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000273916Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:32.387{F81F30E6-F0EC-62DF-0E04-000000006F02}20165260C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000273915Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:32.239{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB9B4D2B05F9DEBBC07078D69CA40A63,SHA256=E3D32B67CBE4933A8CDFCFF776CE475FC4F710E9281FBDD196B019A11E68426F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000273914Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:32.218{F81F30E6-D98B-62DF-3600-000000006F02}31323152C:\Windows\system32\conhost.exe{F81F30E6-F0EC-62DF-0E04-000000006F02}2016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273913Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:32.218{F81F30E6-D97C-62DF-0C00-000000006F02}8526024C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273912Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:32.218{F81F30E6-D97C-62DF-0C00-000000006F02}8526024C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273911Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:32.218{F81F30E6-D97A-62DF-0500-000000006F02}41292C:\Windows\system32\csrss.exe{F81F30E6-F0EC-62DF-0E04-000000006F02}2016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000273910Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:32.218{F81F30E6-D97C-62DF-0C00-000000006F02}8526024C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273909Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:32.218{F81F30E6-D97C-62DF-0C00-000000006F02}8526024C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273908Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:32.218{F81F30E6-D98A-62DF-2E00-000000006F02}27803956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F81F30E6-F0EC-62DF-0E04-000000006F02}2016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000273907Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:32.219{F81F30E6-F0EC-62DF-0E04-000000006F02}2016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{F81F30E6-D97A-62DF-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000273906Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:32.018{F81F30E6-D9FD-62DF-B000-000000006F02}56685648C:\Windows\system32\conhost.exe{F81F30E6-F0EC-62DF-0D04-000000006F02}6736C:\Python310\python.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273905Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:32.018{F81F30E6-D97C-62DF-0C00-000000006F02}8526024C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273904Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:32.018{F81F30E6-D97C-62DF-0C00-000000006F02}8526024C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273903Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:32.018{F81F30E6-D97C-62DF-0C00-000000006F02}8526024C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273902Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:32.018{F81F30E6-D97C-62DF-0C00-000000006F02}8526024C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273901Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:32.018{F81F30E6-D9BA-62DF-8100-000000006F02}38884516C:\Windows\system32\csrss.exe{F81F30E6-F0EC-62DF-0D04-000000006F02}6736C:\Python310\python.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000273900Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:32.018{F81F30E6-D9FD-62DF-AF00-000000006F02}56765672C:\Windows\system32\cmd.exe{F81F30E6-F0EC-62DF-0D04-000000006F02}6736C:\Python310\python.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000273899Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:32.024{F81F30E6-F0EC-62DF-0D04-000000006F02}6736C:\Python310\python.exe3.10.5PythonPythonPython Software Foundationpython.exepython httpserv.py 80C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=B1E4A59F3F1C7B6F250319D58798D3B9,SHA256=0467DF606D98305B25A040E051CF8876A553A61DA1031E51E6E77B15FB18B964,IMPHASH=4532ED405F27949E7A9CE4879FC06EC9{F81F30E6-D9FD-62DF-AF00-000000006F02}5676C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" 23542300x800000000000000051237Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:49:33.962{53069400-D97D-62DF-1100-000000007002}980NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=78C380BE98472140E15A338F49D9ABA5,SHA256=6D4EF96040D98C5C2C34C8CC2E1704D57E20B0306AB8D23453BD858D15BB9A47,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051236Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:49:33.556{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47F9EDF60A22012E40B74678DF76CFA5,SHA256=B3CC1F37ACC6D8456AC1EF7DBE23C57D408520912C2476F49249EF0C7662086C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000273935Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:33.471{F81F30E6-D98B-62DF-3600-000000006F02}31323152C:\Windows\system32\conhost.exe{F81F30E6-F0ED-62DF-1004-000000006F02}5348C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273934Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:33.471{F81F30E6-D97C-62DF-0C00-000000006F02}8526024C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273933Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:33.471{F81F30E6-D97C-62DF-0C00-000000006F02}8526024C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273932Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:33.471{F81F30E6-D97C-62DF-0C00-000000006F02}8526024C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273931Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:33.471{F81F30E6-D97C-62DF-0C00-000000006F02}8526024C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273930Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:33.471{F81F30E6-D97A-62DF-0500-000000006F02}41292C:\Windows\system32\csrss.exe{F81F30E6-F0ED-62DF-1004-000000006F02}5348C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000273929Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:33.471{F81F30E6-D98A-62DF-2E00-000000006F02}27803956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F81F30E6-F0ED-62DF-1004-000000006F02}5348C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000273928Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:33.473{F81F30E6-F0ED-62DF-1004-000000006F02}5348C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F81F30E6-D97A-62DF-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000273927Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:33.271{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=692A35FB9440CCCC93CC5483E07DCA0B,SHA256=53A261D2529434F8232B79099E7AA9DBA30432403951DCF7933604126D0D4D13,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273926Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:33.155{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4FE87C2CC0CDB554EA6BFEC257009F17,SHA256=234E1D58C3946ECDBCC6487C6313B0F4A13A1023F7E51F305C590AF3ED580D8C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000273925Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:33.102{F81F30E6-F0EC-62DF-0F04-000000006F02}70445272C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000051238Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:49:34.650{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF55C514411394DC98C2C02FB19663FD,SHA256=7ACA9C3C8ECADD1A5F9D2D1817322101B98D3D1EAC446563E3136755675AFAFF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000273956Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:34.971{F81F30E6-F0EE-62DF-1204-000000006F02}48847892C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273955Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:34.802{F81F30E6-D98B-62DF-3600-000000006F02}31323152C:\Windows\system32\conhost.exe{F81F30E6-F0EE-62DF-1204-000000006F02}4884C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273954Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:34.802{F81F30E6-D97C-62DF-0C00-000000006F02}8526024C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273953Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:34.802{F81F30E6-D97C-62DF-0C00-000000006F02}8526024C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273952Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:34.802{F81F30E6-D97C-62DF-0C00-000000006F02}8526024C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273951Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:34.802{F81F30E6-D97C-62DF-0C00-000000006F02}8526024C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273950Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:34.802{F81F30E6-D97A-62DF-0500-000000006F02}412540C:\Windows\system32\csrss.exe{F81F30E6-F0EE-62DF-1204-000000006F02}4884C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000273949Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:34.802{F81F30E6-D98A-62DF-2E00-000000006F02}27803956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F81F30E6-F0EE-62DF-1204-000000006F02}4884C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000273948Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:34.803{F81F30E6-F0EE-62DF-1204-000000006F02}4884C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F81F30E6-D97A-62DF-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000273947Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:34.671{F81F30E6-D97C-62DF-1000-000000006F02}448NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=E2D2B2EA3EBFD3EDE463F826B47C7AE4,SHA256=1A094B9CB44A0476D6AED28934DC01E534B7C5C8A9BC25C8DA75814F111062D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273946Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:34.356{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF1357AD5C368EDB1F96AD2DA872DC5F,SHA256=AF38D0C9D82C9A583BD78158E07972190B9338AF693E4006C2B915C202B49923,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000273945Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:34.137{F81F30E6-D98B-62DF-3600-000000006F02}31323152C:\Windows\system32\conhost.exe{F81F30E6-F0EE-62DF-1104-000000006F02}7548C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273944Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:34.136{F81F30E6-D97C-62DF-0C00-000000006F02}8526024C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273943Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:34.136{F81F30E6-D97C-62DF-0C00-000000006F02}8526024C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273942Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:34.135{F81F30E6-D97C-62DF-0C00-000000006F02}8526024C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273941Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:34.135{F81F30E6-D97C-62DF-0C00-000000006F02}8526024C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273940Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:34.135{F81F30E6-D97A-62DF-0500-000000006F02}41292C:\Windows\system32\csrss.exe{F81F30E6-F0EE-62DF-1104-000000006F02}7548C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000273939Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:34.135{F81F30E6-D98A-62DF-2E00-000000006F02}27803956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F81F30E6-F0EE-62DF-1104-000000006F02}7548C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000273938Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:34.134{F81F30E6-F0EE-62DF-1104-000000006F02}7548C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F81F30E6-D97A-62DF-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000273937Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:34.018{F81F30E6-D97C-62DF-1500-000000006F02}12287656C:\Windows\System32\svchost.exe{F81F30E6-D98A-62DF-2A00-000000006F02}2640C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2a2f2|C:\Windows\system32\wbem\wmiprvsd.dll+29e26|C:\Windows\system32\wbem\wmiprvsd.dll+28432|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bca3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22acf|C:\Windows\system32\wbem\wbemcore.dll+22a09|C:\Windows\system32\wbem\wbemcore.dll+21f4a|C:\Windows\system32\wbem\wbemcore.dll+2c9ae|C:\Windows\system32\wbem\wbemcore.dll+202cc|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22baa|C:\Windows\system32\wbem\wbemcore.dll+22a09|C:\Windows\system32\wbem\wbemcore.dll+21f4a|C:\Windows\system32\wbem\wbemcore.dll+22701|C:\Windows\system32\wbem\wbemcore.dll+2d77c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273936Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:34.018{F81F30E6-D97C-62DF-1500-000000006F02}12287656C:\Windows\System32\svchost.exe{F81F30E6-D98A-62DF-2A00-000000006F02}2640C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2597b|C:\Windows\system32\wbem\wmiprvsd.dll+283dc|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bca3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22acf|C:\Windows\system32\wbem\wbemcore.dll+22a09|C:\Windows\system32\wbem\wbemcore.dll+21f4a|C:\Windows\system32\wbem\wbemcore.dll+2c9ae|C:\Windows\system32\wbem\wbemcore.dll+202cc|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22baa|C:\Windows\system32\wbem\wbemcore.dll+22a09|C:\Windows\system32\wbem\wbemcore.dll+21f4a|C:\Windows\system32\wbem\wbemcore.dll+22701|C:\Windows\system32\wbem\wbemcore.dll+2d77c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000051239Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:49:35.744{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=110E721AB9F04700360259143275961C,SHA256=6E72A61CD0FC39C35AF9B2722DAE3BB92304C7C809ADA38FC8972DAE0CE212E2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000273966Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:35.639{F81F30E6-F0EF-62DF-1304-000000006F02}44281696C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000273965Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:35.517{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=344F0E1802D11A01A4209333C89B7CF5,SHA256=6FD9CEEFEB4151287FA03C714E5F18469520D685762913785045551AB0E9A3FB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000273964Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:35.486{F81F30E6-D98B-62DF-3600-000000006F02}31323152C:\Windows\system32\conhost.exe{F81F30E6-F0EF-62DF-1304-000000006F02}4428C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273963Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:35.486{F81F30E6-D97C-62DF-0C00-000000006F02}8526024C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273962Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:35.486{F81F30E6-D97C-62DF-0C00-000000006F02}8526024C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273961Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:35.486{F81F30E6-D97C-62DF-0C00-000000006F02}8526024C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273960Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:35.486{F81F30E6-D97C-62DF-0C00-000000006F02}8526024C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273959Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:35.486{F81F30E6-D97A-62DF-0500-000000006F02}41292C:\Windows\system32\csrss.exe{F81F30E6-F0EF-62DF-1304-000000006F02}4428C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000273958Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:35.486{F81F30E6-D98A-62DF-2E00-000000006F02}27803956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F81F30E6-F0EF-62DF-1304-000000006F02}4428C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000273957Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:35.487{F81F30E6-F0EF-62DF-1304-000000006F02}4428C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F81F30E6-D97A-62DF-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000051240Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:49:36.838{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D59D16345E312AD9AD3DE201A774084,SHA256=E48F811512BDE652ADF2F70FF4C37E322E6177B619EC7683F0B7A1327BDF3B27,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273975Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:36.555{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC7CF5FFCCC6A66BAD689B4613F70C25,SHA256=156DE374EFEECD07D2EB8B81B61F3D1B6FE765F9E8C9DE62E9AD159D546CFD29,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000273974Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:36.154{F81F30E6-D98B-62DF-3600-000000006F02}31323152C:\Windows\system32\conhost.exe{F81F30E6-F0F0-62DF-1404-000000006F02}7652C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273973Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:36.154{F81F30E6-D97C-62DF-0C00-000000006F02}8526024C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273972Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:36.154{F81F30E6-D97C-62DF-0C00-000000006F02}8526024C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273971Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:36.154{F81F30E6-D97C-62DF-0C00-000000006F02}8526024C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273970Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:36.154{F81F30E6-D97C-62DF-0C00-000000006F02}8526024C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273969Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:36.154{F81F30E6-D97A-62DF-0500-000000006F02}41292C:\Windows\system32\csrss.exe{F81F30E6-F0F0-62DF-1404-000000006F02}7652C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000273968Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:36.154{F81F30E6-D98A-62DF-2E00-000000006F02}27803956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F81F30E6-F0F0-62DF-1404-000000006F02}7652C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000273967Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:36.155{F81F30E6-F0F0-62DF-1404-000000006F02}7652C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F81F30E6-D97A-62DF-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000051241Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:49:37.932{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72C2D07F6162EA62C65662883E422D9D,SHA256=38FCF51094683770EDB0D68E22CF63FB49BE3163F1C325476F31AC5D61897889,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273984Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:37.602{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E44F824DDA3FCD6EA80328BE66854EE,SHA256=424537488F39A7253935DC31E9DE1BE850FE0C720B8C459840CF5BD2F5B8F838,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000273983Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:37.018{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-DFD4-62DF-B601-000000006F02}1556C:\Python310\pythonw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273982Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:37.018{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-DFD4-62DF-B601-000000006F02}1556C:\Python310\pythonw.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273981Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:37.018{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-DFD4-62DF-B601-000000006F02}1556C:\Python310\pythonw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273980Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:37.018{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-DFD4-62DF-B601-000000006F02}1556C:\Python310\pythonw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273979Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:37.018{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DFD4-62DF-B601-000000006F02}1556C:\Python310\pythonw.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273978Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:37.018{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DFD4-62DF-B601-000000006F02}1556C:\Python310\pythonw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273977Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:37.018{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DFD4-62DF-B601-000000006F02}1556C:\Python310\pythonw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273976Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:37.018{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DFD4-62DF-B601-000000006F02}1556C:\Python310\pythonw.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000273986Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:38.654{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF551B2F1CD02578C7D2425830A19F7B,SHA256=E806295DCEDAC0889056C8E0EC4DE3B0DAF4A64427014B7E6246EC34791C196C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000051242Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:49:36.191{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal50882-false10.0.1.12-8000- 354300x8000000000000000273985Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:35.039{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local64766-false10.0.1.12-8000- 23542300x8000000000000000273995Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:39.699{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7C1FC521771261F41AC632C7CC659B5,SHA256=31EEF755B3175F7022F7E87901CB6453B6CE66E2647F227CB032454511976254,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051243Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:49:39.026{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B42F7B158C9D5277A7D5CF24CEF00B97,SHA256=FD672A9EA1C2A2A16743E61BDD49A8ACA378B779A66B9278749ADA5DA2F15CA6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000273994Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:39.069{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-D9FD-62DF-AF00-000000006F02}5676C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273993Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:39.069{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-D9FD-62DF-AF00-000000006F02}5676C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273992Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:39.069{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-D9FD-62DF-AF00-000000006F02}5676C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273991Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:39.069{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-D9FD-62DF-AF00-000000006F02}5676C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273990Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:39.069{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-D9FD-62DF-B000-000000006F02}5668C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273989Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:39.069{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-D9FD-62DF-B000-000000006F02}5668C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273988Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:39.069{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-D9FD-62DF-B000-000000006F02}5668C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273987Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:39.069{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-D9FD-62DF-B000-000000006F02}5668C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000273997Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:40.833{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F4794C86EB851820081D7DE1A497325,SHA256=0942710ED36C2E9735BFD600D55EB5AA64B9E33C577E22078631C8C047270693,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051244Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:49:40.120{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2660132A3616C932A5F0E0EC83EA5EB,SHA256=824F06B961028C3D6FFBF107E7BDEF6CA024D3624EEC40C7539B43C191675927,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000273996Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:40.400{F81F30E6-D97A-62DF-0B00-000000006F02}6407868C:\Windows\system32\lsass.exe{F81F30E6-D978-62DF-0100-000000006F02}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+97d32|C:\Windows\system32\kerberos.DLL+7a118|C:\Windows\system32\kerberos.DLL+1454f|C:\Windows\system32\lsasrv.dll+2f5b1|C:\Windows\system32\lsasrv.dll+2d496|C:\Windows\system32\lsasrv.dll+32d29|C:\Windows\system32\lsasrv.dll+30677|C:\Windows\system32\lsasrv.dll+2f5b1|C:\Windows\system32\lsasrv.dll+176fd|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e 23542300x8000000000000000274002Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:41.983{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B58CC9CEF92A9A302BC50BFFEE6B7C85,SHA256=B42EACA683F943EF31062D7435BEF6A410AD670D27340479AE5B11CC23E5C442,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051245Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:49:41.213{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6BE124DE5E710B08EB7D4B622818E2FD,SHA256=FD2C1CCBD0E25DA305D018B2B2F9DA6CAE176E19088FC0E51F0514F71B0652F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274001Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:41.483{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=19211FB5FC8842648589137B2EA2439A,SHA256=0FC649368703A85210D99AF458D44C1BB3BBA62B79BA3C08F63865D2FB92385C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000274000Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:38.576{F81F30E6-D97C-62DF-1000-000000006F02}448C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruetruefe80:0:0:0:513a:aaff:ea8e:f17win-dc-ctus-attack-range-502.attackrange.local59228-trueff02:0:0:0:0:0:1:3-5355llmnr 354300x8000000000000000273999Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:38.575{F81F30E6-D98A-62DF-2D00-000000006F02}2676C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local61708- 354300x8000000000000000273998Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:38.574{F81F30E6-D97C-62DF-1000-000000006F02}448C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local54314-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local53domain 23542300x800000000000000051246Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:49:42.307{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=367FA74B9D4F9B4CBA56D8E11CAEA19F,SHA256=DF5EC9F525973980206D06CACEB7B16F0CDB1B381A9B34C7644A44A083696E10,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000274004Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:39.403{F81F30E6-D978-62DF-0100-000000006F02}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local64767-false10.0.1.14win-dc-ctus-attack-range-502.attackrange.local445microsoft-ds 354300x8000000000000000274003Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:39.403{F81F30E6-D978-62DF-0100-000000006F02}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local64767-false10.0.1.14win-dc-ctus-attack-range-502.attackrange.local445microsoft-ds 23542300x800000000000000051248Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:49:43.401{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E936511B5F809D660E70E9CBDA023D7F,SHA256=16A531F29A2B099A8E63E2BDF58CD9B476F743D48AB323CDCE1A51916E9DC405,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000274015Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:43.435{F81F30E6-D97A-62DF-0B00-000000006F02}6407868C:\Windows\system32\lsass.exe{F81F30E6-F0F7-62DF-1504-000000006F02}6672C:\Python310\python.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ee3c|C:\Windows\system32\lsasrv.dll+e76d4|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000274014Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:40.255{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local64768-false10.0.1.12-8000- 10341000x8000000000000000274013Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:43.251{F81F30E6-D9FD-62DF-B000-000000006F02}56685648C:\Windows\system32\conhost.exe{F81F30E6-F0F7-62DF-1504-000000006F02}6672C:\Python310\python.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274012Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:43.251{F81F30E6-D97C-62DF-0C00-000000006F02}8526024C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274011Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:43.251{F81F30E6-D97C-62DF-0C00-000000006F02}8526024C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274010Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:43.251{F81F30E6-D97C-62DF-0C00-000000006F02}8526024C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274009Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:43.251{F81F30E6-D97C-62DF-0C00-000000006F02}8526024C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274008Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:43.251{F81F30E6-D9BA-62DF-8100-000000006F02}38884516C:\Windows\system32\csrss.exe{F81F30E6-F0F7-62DF-1504-000000006F02}6672C:\Python310\python.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000274007Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:43.251{F81F30E6-D9FD-62DF-AF00-000000006F02}56765672C:\Windows\system32\cmd.exe{F81F30E6-F0F7-62DF-1504-000000006F02}6672C:\Python310\python.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000274006Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:43.263{F81F30E6-F0F7-62DF-1504-000000006F02}6672C:\Python310\python.exe3.10.5PythonPythonPython Software Foundationpython.exepython httpserv.py -p 80C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=B1E4A59F3F1C7B6F250319D58798D3B9,SHA256=0467DF606D98305B25A040E051CF8876A553A61DA1031E51E6E77B15FB18B964,IMPHASH=4532ED405F27949E7A9CE4879FC06EC9{F81F30E6-D9FD-62DF-AF00-000000006F02}5676C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" 23542300x8000000000000000274005Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:43.031{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D9688D8182382BD69442B02FC7F8FCF,SHA256=FA51F42466DA5C9A12D22046F00CF1930533146A36E5172AE26C33AAC8449EAC,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000051247Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:49:41.317{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal50883-false10.0.1.12-8000- 23542300x800000000000000051249Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:49:44.495{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA5C52057FBC5B30C492354DB3447A23,SHA256=DBC77BB04504B40D8D905B8409FFD379A8EF3886C9B6983749DFD94323E5454C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274016Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:44.081{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C8DEEA6F84EB125F64F9F3F37C897F4,SHA256=5335005E4C5121C2E8E143D5C752BBF792C776781E2489ECF6C5672928F7E736,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051251Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:49:45.792{53069400-D97D-62DF-1E00-000000007002}1940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=179B82772CA5CC0B7A1E30B10EC3DA68,SHA256=BB39CA45713EEF29F8964A50A9025571F90083A2F6169622A7CAAB4EAC5409CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051250Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:49:45.589{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=808A879257B2613D695AFCE2C5CF9FD4,SHA256=966EEC06A8B3607BC083A9948BA1E5281D41F944EC071C90462E18EF621BDD50,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274017Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:45.111{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C68233072AEF53374D8CE7C10AD8730,SHA256=67EDA6AABC88D0A257503106F589919ECAFCFB5FFF852A28334FD2602EE9C8BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051252Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:49:46.682{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ABF7EAB40DAEBAAF80D9D1B688C1F1DB,SHA256=00473E416CEDA7CFDFD73BE7B05934416988D152DE8378EFD8CAA6FA0ED501A9,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000274024Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:46.729{F81F30E6-DAB4-62DF-BF00-000000006F02}2464C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\e57grxtg.default-release\AlternateServices-1.txt2022-07-26 13:49:46.727 23542300x8000000000000000274023Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:46.729{F81F30E6-DAB4-62DF-BF00-000000006F02}2464ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\e57grxtg.default-release\AlternateServices-1.txtMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000274022Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:46.728{F81F30E6-DAB4-62DF-BF00-000000006F02}2464C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\e57grxtg.default-release\AlternateServices-1.txt2022-07-26 13:49:46.727 11241100x8000000000000000274021Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:46.529{F81F30E6-DAB4-62DF-BF00-000000006F02}2464C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\e57grxtg.default-release\SiteSecurityServiceState-1.txt2022-07-26 13:49:46.527 23542300x8000000000000000274020Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:46.528{F81F30E6-DAB4-62DF-BF00-000000006F02}2464ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\e57grxtg.default-release\SiteSecurityServiceState-1.txtMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000274019Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:46.527{F81F30E6-DAB4-62DF-BF00-000000006F02}2464C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\e57grxtg.default-release\SiteSecurityServiceState-1.txt2022-07-26 13:49:46.527 23542300x8000000000000000274018Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:46.149{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=511BC1E184122B63697E6D38F333E22B,SHA256=82182443D0472E87577121EC5AD0E6DE7E4B362E797B648F29517AB7D1DDB1CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051255Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:49:47.776{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94AAF8D50C6F5333DAF0AF4F95056D08,SHA256=057F524C2742752E9F328450FC9AF6ACFE42C5F337544FABE376AFFFB58AD51D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051254Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:49:47.745{53069400-D97D-62DF-1E00-000000007002}1940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=627402102D3BA5B7E986D4E343DA19AF,SHA256=BE649F9F3746B73A4999EA3242F1F6BEEC392F8C66D3D7CF6C3DEA1186D9268C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000274026Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:47.747{F81F30E6-D97C-62DF-0D00-000000006F02}9123628C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000274025Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:47.279{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A3C7E2A105973726BBB36D24E54075F,SHA256=44954D7B3D4055108BF6E7D380951C2F03985ED485CADF4681E7203C44EE1FF2,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000051253Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:49:45.848{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal50884-false10.0.1.12-8089- 23542300x800000000000000051257Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:49:48.870{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30D548874DAB2660851CE9989A1A33E2,SHA256=72D690E43186D9600088E9E3D05DB42B50182C24EF8B0A5F7EB76196B2FF8149,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274037Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:48.729{F81F30E6-D98A-62DF-2E00-000000006F02}2780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=375770933B088FA1013E9C17F7ACFA9C,SHA256=12DC730ED0C3CEF15E2072F184E79ED116E6C7FEA32581084F03B1ADA228E22B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274036Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:48.430{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6CFC1DFAC89EEC55E2BE01C692B1097,SHA256=DF5FCFBB5755A97EA7D44C19526F9B7931CEE63E007C580002A4188E8CA7B632,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000051256Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:49:46.333{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal50885-false10.0.1.12-8000- 354300x8000000000000000274035Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:46.067{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local64769-false10.0.1.12-8000- 10341000x8000000000000000274034Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:48.210{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274033Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:48.210{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274032Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:48.210{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274031Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:48.210{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274030Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:48.210{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274029Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:48.210{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274028Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:48.210{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274027Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:48.210{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000051258Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:49:49.963{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C74027EAFFA8EC1E49349E8DF8E9EED,SHA256=AF74189B433DD97BD15CD902E8524410F286507AAF5A046EEA14A2A288AAA459,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000274039Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:49.893{F81F30E6-DE12-62DF-7B01-000000006F02}62606932C:\Users\Administrator\Downloads\dnSpy.exe{F81F30E6-EFFF-62DF-F303-000000006F02}3988C:\Temp\dcrat.exe0x1C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+5559f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+6d93|UNKNOWN(00007FF973F14401) 23542300x8000000000000000274038Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:49.477{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E408835EA83786970A65DB4D14DF6E9,SHA256=0A07517521BC84927769FD453DF81D6F930EADE79D3F7A052F7C424A1C9582F8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000274045Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:50.844{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274044Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:50.844{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274043Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:50.844{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274042Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:50.807{F81F30E6-D97C-62DF-0C00-000000006F02}8526024C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274041Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:50.807{F81F30E6-D97C-62DF-0C00-000000006F02}8526024C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000274040Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:50.625{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27DD2886FDFC248B42DB05C7E049037D,SHA256=9D13CDC029FED2EBA94F0C4F5F5231F0768FF454A8D29A9B9EC9DC9D3108A87A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000274050Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:51.990{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274049Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:51.990{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274048Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:51.990{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000274047Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:51.675{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5B6390A7FA95FC8C1052FF76BF19E1A,SHA256=5BDED9BF85C951DB5B2A2A0E19F368D699A4F3AA7CFEAE52504E5EC139DB798F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051259Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:49:51.057{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03E1274599DA9592E775E413527BA2C4,SHA256=661BA192DE8DBCF122AB1631B7E07039F4A13E04133AED72148B6E23FB73F61E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000274046Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:47.712{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local64770-false10.0.1.12-8089- 23542300x8000000000000000274080Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:52.821{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=342B2B0228873839E4CA741FDD690DBA,SHA256=75ABBED59D8FAEB142EB0BD588719BC5D6639A79299DA575E907723FEF69DCAA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051260Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:49:52.151{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AECCE7EDC6A00AA145031C2A45D03A56,SHA256=901ABFC6731D9C76C825E9FE51C526ABCD46B31D898C407EAC7FBC8D2D15E924,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274079Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:52.190{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=340E2398A4442A0BB3207DA871A00455,SHA256=C917D2E35AD8C11867467314E726EA880A904582A6AAA5774C8314AA2A5B0B60,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000274078Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:52.159{F81F30E6-D97C-62DF-0C00-000000006F02}8526024C:\Windows\system32\svchost.exe{F81F30E6-F100-62DF-1604-000000006F02}4600C:\Temp\dcrat.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274077Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:52.106{F81F30E6-D97C-62DF-1500-000000006F02}12281712C:\Windows\System32\svchost.exe{F81F30E6-F100-62DF-1604-000000006F02}4600C:\Temp\dcrat.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274076Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:52.106{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F100-62DF-1604-000000006F02}4600C:\Temp\dcrat.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274075Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:52.090{F81F30E6-D97A-62DF-0B00-000000006F02}6407868C:\Windows\system32\lsass.exe{F81F30E6-F100-62DF-1604-000000006F02}4600C:\Temp\dcrat.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ee3c|C:\Windows\system32\lsasrv.dll+e76d4|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274074Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:52.075{F81F30E6-DE12-62DF-7B01-000000006F02}62607320C:\Users\Administrator\Downloads\dnSpy.exe{F81F30E6-F100-62DF-1604-000000006F02}4600C:\Temp\dcrat.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00007FF972E8F4BC) 10341000x8000000000000000274073Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:52.028{F81F30E6-DE12-62DF-7B01-000000006F02}62602128C:\Users\Administrator\Downloads\dnSpy.exe{F81F30E6-F100-62DF-1604-000000006F02}4600C:\Temp\dcrat.exe0x1038C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00007FF972E37196) 10341000x8000000000000000274072Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:52.028{F81F30E6-DE12-62DF-7B01-000000006F02}62606312C:\Users\Administrator\Downloads\dnSpy.exe{F81F30E6-F100-62DF-1604-000000006F02}4600C:\Temp\dcrat.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00007FF972E3853B) 10341000x8000000000000000274071Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:52.028{F81F30E6-DE12-62DF-7B01-000000006F02}62606312C:\Users\Administrator\Downloads\dnSpy.exe{F81F30E6-F100-62DF-1604-000000006F02}4600C:\Temp\dcrat.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00007FF972E3853B) 10341000x8000000000000000274070Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:52.026{F81F30E6-DE12-62DF-7B01-000000006F02}62606312C:\Users\Administrator\Downloads\dnSpy.exe{F81F30E6-F100-62DF-1604-000000006F02}4600C:\Temp\dcrat.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00007FF972E3853B) 10341000x8000000000000000274069Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:52.026{F81F30E6-DE12-62DF-7B01-000000006F02}62606312C:\Users\Administrator\Downloads\dnSpy.exe{F81F30E6-F100-62DF-1604-000000006F02}4600C:\Temp\dcrat.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00007FF972E3853B) 10341000x8000000000000000274068Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:52.026{F81F30E6-DE12-62DF-7B01-000000006F02}62606312C:\Users\Administrator\Downloads\dnSpy.exe{F81F30E6-F100-62DF-1604-000000006F02}4600C:\Temp\dcrat.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00007FF972E4383B) 10341000x8000000000000000274067Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:52.024{F81F30E6-DE12-62DF-7B01-000000006F02}62606312C:\Users\Administrator\Downloads\dnSpy.exe{F81F30E6-F100-62DF-1604-000000006F02}4600C:\Temp\dcrat.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00007FF972E3853B) 10341000x8000000000000000274066Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:52.026{F81F30E6-DE12-62DF-7B01-000000006F02}62606312C:\Users\Administrator\Downloads\dnSpy.exe{F81F30E6-F100-62DF-1604-000000006F02}4600C:\Temp\dcrat.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00007FF972E3853B) 10341000x8000000000000000274065Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:52.024{F81F30E6-DE12-62DF-7B01-000000006F02}62606312C:\Users\Administrator\Downloads\dnSpy.exe{F81F30E6-F100-62DF-1604-000000006F02}4600C:\Temp\dcrat.exe0x1038C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00007FF972E37196) 10341000x8000000000000000274064Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:52.024{F81F30E6-DE12-62DF-7B01-000000006F02}62607320C:\Users\Administrator\Downloads\dnSpy.exe{F81F30E6-F100-62DF-1604-000000006F02}4600C:\Temp\dcrat.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00007FF972E33AC9) 10341000x8000000000000000274063Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:52.006{F81F30E6-DE12-62DF-7B01-000000006F02}62605680C:\Users\Administrator\Downloads\dnSpy.exe{F81F30E6-F100-62DF-1604-000000006F02}4600C:\Temp\dcrat.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ntdll.dll+6cd1a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+2d661|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+104b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+11e6c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+2c1d4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+120a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+13c65|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274062Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:51.990{F81F30E6-DE12-62DF-7B01-000000006F02}62605680C:\Users\Administrator\Downloads\dnSpy.exe{F81F30E6-F100-62DF-1604-000000006F02}4600C:\Temp\dcrat.exe0x12367bC:\Windows\SYSTEM32\ntdll.dll+a9414|C:\Windows\System32\KERNELBASE.dll+c7105|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+11fc7|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+13c65|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274061Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:51.990{F81F30E6-DE12-62DF-7B01-000000006F02}62605680C:\Users\Administrator\Downloads\dnSpy.exe{F81F30E6-F100-62DF-1604-000000006F02}4600C:\Temp\dcrat.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ntdll.dll+6cd1a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+2d661|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+342a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+37aa|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+1ff2|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+13db8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+12047|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+13c65|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274060Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:51.990{F81F30E6-DE12-62DF-7B01-000000006F02}62605680C:\Users\Administrator\Downloads\dnSpy.exe{F81F30E6-F100-62DF-1604-000000006F02}4600C:\Temp\dcrat.exe0x101479C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+3791|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+1ff2|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+13db8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+12047|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+13c65|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274059Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:51.990{F81F30E6-DE12-62DF-7B01-000000006F02}62605680C:\Users\Administrator\Downloads\dnSpy.exe{F81F30E6-F100-62DF-1604-000000006F02}4600C:\Temp\dcrat.exe0x101479C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+55fc0|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+13d66|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+12047|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+13c65|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274058Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:51.990{F81F30E6-D97C-62DF-0C00-000000006F02}8526024C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274057Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:51.990{F81F30E6-D97C-62DF-0C00-000000006F02}8526024C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274056Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:51.990{F81F30E6-D97C-62DF-0C00-000000006F02}8526024C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274055Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:51.990{F81F30E6-D9BA-62DF-8100-000000006F02}38884056C:\Windows\system32\csrss.exe{F81F30E6-F100-62DF-1604-000000006F02}4600C:\Temp\dcrat.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000274054Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:51.990{F81F30E6-D97C-62DF-0C00-000000006F02}8526024C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274053Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:51.990{F81F30E6-DE12-62DF-7B01-000000006F02}62605680C:\Users\Administrator\Downloads\dnSpy.exe{F81F30E6-F100-62DF-1604-000000006F02}4600C:\Temp\dcrat.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+7437c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+5522b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+13d31|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+12047|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+13c65|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000274052Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:52.001{F81F30E6-F100-62DF-1604-000000006F02}4600C:\Temp\dcrat.exe5.15.2.0-libGLESv2-libGLESv2.dll"C:\Temp\dcrat.exe"C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=E06895CC68C528CCD69780358C4A9DA8,SHA256=A7BC5B997A4051EF86F2BEC3C3E21254AFF16F8CFFF9ECFBBC06F73DA39D5F9D,IMPHASH=F34D5F2D4577ED6D9CEEC516C1F5A744{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe"C:\Users\Administrator\Downloads\dnSpy.exe" 10341000x8000000000000000274051Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:51.990{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F100-62DF-1604-000000006F02}4600C:\Temp\dcrat.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000274081Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:53.921{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE6E1639A35DF52F730346C291F5AB42,SHA256=A038F9011155C266D14DAA359E8E107922E2084835C5727637A5541D21350D32,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000051262Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:49:52.270{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal50886-false10.0.1.12-8000- 23542300x800000000000000051261Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:49:53.245{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21095576D9AF3B396DF1B3B7EB8B6FC1,SHA256=F34CFD8EC9C96019EF1DBA1AF82619F9F573D3A89AEB0D078376F088C0CD68F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051263Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:49:54.338{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53E09DF36E99ABC75FCE5E6FD521EC6B,SHA256=FC4337127CCDC1229C5DC9D30EFB407615601D846C7EAB2A76D21464F009EE00,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000274085Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:54.599{F81F30E6-D97A-62DF-0B00-000000006F02}6407868C:\Windows\system32\lsass.exe{F81F30E6-F100-62DF-1604-000000006F02}4600C:\Temp\dcrat.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+266d7|C:\Windows\system32\lsasrv.dll+2781d|C:\Windows\system32\lsasrv.dll+26555|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274084Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:54.599{F81F30E6-D97A-62DF-0B00-000000006F02}6407868C:\Windows\system32\lsass.exe{F81F30E6-F100-62DF-1604-000000006F02}4600C:\Temp\dcrat.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2c0af|C:\Windows\system32\lsasrv.dll+2649d|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274083Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:54.560{F81F30E6-D97A-62DF-0B00-000000006F02}6407868C:\Windows\system32\lsass.exe{F81F30E6-F100-62DF-1604-000000006F02}4600C:\Temp\dcrat.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ee3c|C:\Windows\system32\lsasrv.dll+e76d4|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000274082Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:52.093{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local64771-false10.0.1.12-8000- 23542300x800000000000000051264Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:49:55.432{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4938BEFB8AF3B3FABD266E702B30D37C,SHA256=124E65B6282AF61A3AE04BBA350F7C55DCF565443F6CC72FC0EAFFE53E11892F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000274087Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:55.234{F81F30E6-DE12-62DF-7B01-000000006F02}62606312C:\Users\Administrator\Downloads\dnSpy.exe{F81F30E6-F100-62DF-1604-000000006F02}4600C:\Temp\dcrat.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00007FF972E3853B) 23542300x8000000000000000274086Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:55.033{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C09C8C2963361048700E626164EB5B4E,SHA256=0B0E7D52BA771667F37BF12AD313BF946E723F9BD7D95413514F3F79623065F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051265Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:49:56.526{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4481553CB67160B2E3C8A7DF7B4DEC0B,SHA256=8895CF8C0D61F042971A26F517F801AAF2076D02B50D6FD8C357B50E20FF60E2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000274094Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:53.988{F81F30E6-D98A-62DF-2D00-000000006F02}2676C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local58217- 354300x8000000000000000274093Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:53.987{F81F30E6-D98A-62DF-2D00-000000006F02}2676C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local55136- 354300x8000000000000000274092Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:53.987{F81F30E6-D97C-62DF-1100-000000006F02}440C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local55136-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local53domain 10341000x8000000000000000274091Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:56.348{F81F30E6-D9BD-62DF-9000-000000006F02}46884812C:\Windows\Explorer.EXE{F81F30E6-DAB4-62DF-BF00-000000006F02}2464C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+cf100|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9824|UNKNOWN(FFFFF80163E5BCD8)|UNKNOWN(FFFFF2A666167E08)|UNKNOWN(FFFFF2A666167F87)|UNKNOWN(FFFFF2A666162611)|UNKNOWN(FFFFF2A666163FDA)|UNKNOWN(FFFFF2A666162296)|UNKNOWN(FFFFF80163B71503)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+d296b|C:\Windows\System32\SHELL32.dll+11971a|C:\Windows\System32\SHCORE.dll+33fbd 10341000x8000000000000000274090Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:56.348{F81F30E6-D9BD-62DF-9000-000000006F02}46884812C:\Windows\Explorer.EXE{F81F30E6-DAB4-62DF-BF00-000000006F02}2464C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0f5|C:\Windows\System32\SHELL32.dll+cebe1|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9824|UNKNOWN(FFFFF80163E5BCD8)|UNKNOWN(FFFFF2A666167E08)|UNKNOWN(FFFFF2A666167F87)|UNKNOWN(FFFFF2A666162611)|UNKNOWN(FFFFF2A666163FDA)|UNKNOWN(FFFFF2A666162296)|UNKNOWN(FFFFF80163B71503)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+d296b|C:\Windows\System32\SHELL32.dll+11971a|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000274089Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:56.348{F81F30E6-DAB4-62DF-BF00-000000006F02}2464ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RF5bfb2e.TMPMD5=07A8EEA392A63B45D05AB07AEB53AD56,SHA256=96E0E3067BEB1889266221D44DC4BAF875CDC9DF47F2E353EE64800B14CE381D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274088Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:56.149{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2ADA023A1C88955D40F28A2F7451F725,SHA256=FE596ED0DC483F3AA08F85F892AE3F3E5E7D81545F5B662B99E8904F9CF58BEB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274095Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:57.299{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE1B6B2658098B5EEDA9AFED5685E1A9,SHA256=A58F8F05ED91898CECFE74A2C3758A85073B3298AAFC0B65B4975A5AB9F20C34,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051266Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:49:57.620{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F306C3B2F9B2B5D1E9236850E5E380C1,SHA256=BF08C63721578580BCF342D1F7885814A443B4AD1784DB4912AA659FEFBFF4F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051267Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:49:58.713{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1530F351E87D7826CE1711C4E9029F7,SHA256=AEBB8EB565C61DD3A756EBC963659E8D099926C794FBCE8C06F5A73D60ADA3E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274098Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:58.978{F81F30E6-DAB4-62DF-BF00-000000006F02}2464ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\e57grxtg.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274097Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:58.978{F81F30E6-DAB4-62DF-BF00-000000006F02}2464ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\e57grxtg.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shmMD5=B1985CC2A068949D8275BD8D7AA322D3,SHA256=6642EBBFB4D1461B1AA941134CA5B1C3FBC50DCF88865D2770476D4E5DF0F489,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274096Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:58.432{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6CDF9A03BEED2E1194F72CC15ABB1DE9,SHA256=42C2093F7E56CC3FF228A44D52B320516F2F7A5D467C7D6CB5DC372D51ED603F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000051269Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:49:58.239{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal50887-false10.0.1.12-8000- 23542300x800000000000000051268Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:49:59.807{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29E5C56C1D723520658BBA70120E30A8,SHA256=49A3A482E4E4BF49DF9AE1BCC35B864A02BE39BB511CE8AC47CC4D29ABDBD4F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274100Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:59.478{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CC006122B7D648E05A132EBF991C4FB,SHA256=44D9A078156D31ABBBCEA0E655EACD10A4A18846514C16C3D6CDDCA5F6C95043,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274099Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:59.231{F81F30E6-DAB4-62DF-BF00-000000006F02}2464ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\e57grxtg.default-release\datareporting\glean\db\data.safe.binMD5=F8ED0B3FE5B133867F217DC2CE052A31,SHA256=ADA40FD4B6FD7F5F96A103B85BA98E2829AA1695AEA1906D5A1718F2F33E2189,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051270Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:00.901{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B18F60E464D0A52B900D9AE5F78BC193,SHA256=8F0B51A3265C89499664634536217CBE6261221405EE4A33A4FA2D3B80BCE83F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274102Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:00.630{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2A955D2B3EA26FCF3D45E258C3A65CF,SHA256=E309D526BA4C5BA586F6C9FE5DE1CAA8AAF0339650B3AC29A8733759EBB1F365,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000274101Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:58.050{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local64772-false10.0.1.12-8000- 23542300x800000000000000051271Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:01.995{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E82EAA9B8158AFACC614D85DFB01EF8,SHA256=DCE4B5086C853A210DA1A8FFB6CCDB3FD64E006721981803398804CE2E100EF8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274104Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:01.746{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA78E1BCB563B1C83D0F743D603EEC29,SHA256=3FAC28AA49CA227E9624A5C0FBAA3B56F91437E348407127FD2E93DDACBB5379,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274103Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:01.213{F81F30E6-D98A-62DF-2E00-000000006F02}2780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=C7D6EAAB285E6E7E461BE7693920542E,SHA256=53849F8D439CCAA798B74152BE4517DD9049BB5FF79E512AF7CD59EE16EE2223,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274105Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:02.863{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB974BF74B75EB4F24F68382DFC829F4,SHA256=BC9B7DC7309A5D88B4251CD6341D259BBA2B8956E72E282FA9EC594224F8057E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274107Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:03.979{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B60E6C53118039B60540322B302F407,SHA256=1454ED85936CE6FB30036043B267E18AE13C7CB75EC8FC30E5603D31EDCDC890,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051272Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:03.088{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1287EDCFDF422D490ED6A243DB2FB0B0,SHA256=08E24443A4A51448604D4C2FB6AB8A42DC3ABFEEBFA58072D7256842BA6537B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274106Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:03.648{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BF88C37AAC6000B9151F96B5B24FC6E8,SHA256=39E9FCE63682135685D980915F4530C36A5A76F9FCDDA67E525F686B641CC9CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051274Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:04.326{53069400-D97D-62DF-1C00-000000007002}1896NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0923b0b66bc46ec04\channels\health\respondent-20220726120936-097MD5=F10909D358012860607A88999540BE61,SHA256=618099B8C52552D13629F748BAC7127C20F9D45615160D64360388A771E36D7B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051273Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:04.182{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E3FF540F23BADA1BA3FF30C29A19334,SHA256=35A99D01F217305311C15BAB7C0CD1F37828D5482901D15C938794A7AB1F22B5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000274109Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:01.596{F81F30E6-D97A-62DF-0B00-000000006F02}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local64773-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local389ldap 354300x8000000000000000274108Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:01.596{F81F30E6-D98A-62DF-2600-000000006F02}2568C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local64773-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local389ldap 354300x800000000000000051277Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:04.270{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal50888-false10.0.1.12-8000- 23542300x800000000000000051276Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:05.325{53069400-D97D-62DF-1C00-000000007002}1896NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0923b0b66bc46ec04\channels\health\surveyor-20220726120934-098MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051275Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:05.277{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0DCDAA375BB862805DD6F7761A68E712,SHA256=A5CF0DB6F02596C703BADB933CDD1274DEF3ABD7F0725A87B58C072B57BD4AAD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274110Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:05.015{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9536E8CBBD20C010969E7494E94858B6,SHA256=63178F5BD6158712918ECF724ECD45BF1B8BCDEA8D25DBDE90C1274289C57C60,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051278Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:06.371{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBF119AB48397320588306FFEBBDA66D,SHA256=0BCEA23E89FB649DF618D6C2A23DD3CD0EC5A8E5C64E39B3348F2549DD2CABF6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000274112Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:03.226{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local64774-false10.0.1.12-8000- 23542300x8000000000000000274111Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:06.062{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A75E32AD44AC5B134F4B8ABDC07385C8,SHA256=086BD3BA68599187F7DFE86A13ACFF12A00A03F254607DB0ECF910B11EDA9B14,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051279Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:07.464{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C51F9A0E2E0C70995CA291112237193,SHA256=5DB39C5A3A1CC8BE514CC32B70F3AE68C2591D03B69EC33C23EBB780B04019BA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000274115Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:07.751{F81F30E6-D97C-62DF-0C00-000000006F02}8526024C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274114Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:07.751{F81F30E6-D97C-62DF-0C00-000000006F02}8526024C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000274113Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:07.181{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C498F09FFE0743887E77CB872EE74DA9,SHA256=2C5317A555BFBFA4FEBC364BEBE9E1B79A419754DD84480823BBDFC1BE523E3C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051280Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:08.558{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=544513C571557AF97EE639C2F9B9A215,SHA256=A0A8E0E63E453FC945E2908933AE086FB448FF4A811BEAFB2D5685010F6B72C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274116Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:08.320{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8F6BEE6769D22CCDACD97098F6F99CA,SHA256=30AE08182B4CF7C91D72B45708F414DF46C551C7B7DBB64D2DF6F837C555AA36,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051281Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:09.652{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90C6256906273247B62F793DD7D5EB9A,SHA256=3C5DBD6F88E34800EF8BB03FF6571DCD71EC7BED25748B4DCDA8317E2995459F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274119Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:09.451{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EDEEF6E389B0B7901DC8A2542B70F155,SHA256=A17A7C570DF64CC2789570FB835247A16E44B3A50CA43ED759B218856C44CE98,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000274118Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:09.367{F81F30E6-D97C-62DF-0C00-000000006F02}8526024C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274117Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:09.367{F81F30E6-D97C-62DF-0C00-000000006F02}8526024C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000051283Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:09.271{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal50889-false10.0.1.12-8000- 23542300x800000000000000051282Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:10.746{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92068645E0265A6B23BA2D6FD935007F,SHA256=23B6D6813DA3A8365D28628E11B3B83C32D21902A94084F844D4393D46BF5E92,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000274129Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:08.239{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local64775-false10.0.1.12-8000- 23542300x8000000000000000274128Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:10.482{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC81A174B6305A260EED9DD5C994DA3F,SHA256=B424AC73F800E5D40C6884EBC5AEC30D80796566BC8E776CDB724607131558F5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000274127Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:10.319{F81F30E6-D97C-62DF-0C00-000000006F02}8526024C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274126Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:10.319{F81F30E6-D97C-62DF-0C00-000000006F02}8526024C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274125Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:10.300{F81F30E6-D97C-62DF-0C00-000000006F02}8526024C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274124Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:10.299{F81F30E6-D97C-62DF-0C00-000000006F02}8526024C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274123Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:10.266{F81F30E6-D97C-62DF-0C00-000000006F02}8526024C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274122Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:10.266{F81F30E6-D97C-62DF-0C00-000000006F02}8526024C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274121Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:10.250{F81F30E6-D97C-62DF-0C00-000000006F02}8526024C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274120Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:10.250{F81F30E6-D97C-62DF-0C00-000000006F02}8526024C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000051284Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:11.839{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91BBD482254A54ACBC43D17D1BFC932E,SHA256=D9574846564CADA4B1EB86F6C45CB9CDD11A3C04203ED81729D15EAB47DCE23E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274130Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:11.535{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23216EB903EA6D6720B95BD04663973E,SHA256=0236F9D60C82C2B167D20C66026D81EA4CF46375A43E76957865B8636FACB0E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274133Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:12.681{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86D56AC38D53879CCDC09A0D0D9E5CC8,SHA256=D50C2F3E57C6D75623D783AF5AC4A2AA95B7894BA97820F06AD741238BFB71FA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000051311Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:12.871{53069400-D97E-62DF-2900-000000007002}27802800C:\Windows\system32\conhost.exe{53069400-F114-62DF-3A03-000000007002}960C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051310Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:12.871{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051309Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:12.871{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051308Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:12.871{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051307Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:12.871{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051306Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:12.871{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051305Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:12.871{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051304Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:12.871{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051303Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:12.871{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051302Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:12.871{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051301Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:12.871{53069400-D97C-62DF-0500-000000007002}412428C:\Windows\system32\csrss.exe{53069400-F114-62DF-3A03-000000007002}960C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000051300Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:12.871{53069400-D97D-62DF-1E00-000000007002}19402768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53069400-F114-62DF-3A03-000000007002}960C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000051299Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:12.872{53069400-F114-62DF-3A03-000000007002}960C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53069400-D97C-62DF-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000051298Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:12.589{53069400-F114-62DF-3903-000000007002}3652736C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051297Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:12.371{53069400-D97E-62DF-2900-000000007002}27802800C:\Windows\system32\conhost.exe{53069400-F114-62DF-3903-000000007002}3652C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051296Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:12.371{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051295Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:12.371{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051294Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:12.371{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051293Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:12.371{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051292Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:12.371{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051291Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:12.371{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051290Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:12.371{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051289Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:12.371{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051288Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:12.371{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051287Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:12.371{53069400-D97C-62DF-0500-000000007002}4121248C:\Windows\system32\csrss.exe{53069400-F114-62DF-3903-000000007002}3652C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000051286Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:12.371{53069400-D97D-62DF-1E00-000000007002}19402768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53069400-F114-62DF-3903-000000007002}3652C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000051285Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:12.371{53069400-F114-62DF-3903-000000007002}3652C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53069400-D97C-62DF-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000274132Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:12.134{F81F30E6-D97C-62DF-0C00-000000006F02}8526024C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274131Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:12.134{F81F30E6-D97C-62DF-0C00-000000006F02}8526024C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000274136Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:13.732{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A55153B1F4AED04748DEA3137B8F41B0,SHA256=A27F83E4640F78FAFD8D7329096016C115DCE2F2C441C2567DD2F00309031830,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000274135Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:13.732{F81F30E6-D97C-62DF-0C00-000000006F02}8526024C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274134Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:13.732{F81F30E6-D97C-62DF-0C00-000000006F02}8526024C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000051327Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:13.417{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=00878359B9F3898BDA6030D2C4DC3D8D,SHA256=22A4312C0A8CBFE458C42C7C9AF030CC8146BA76F79840F04E842A590C8AE803,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000051326Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:13.371{53069400-D97E-62DF-2900-000000007002}27802800C:\Windows\system32\conhost.exe{53069400-F115-62DF-3B03-000000007002}2176C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051325Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:13.371{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051324Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:13.371{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051323Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:13.371{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051322Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:13.371{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051321Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:13.371{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051320Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:13.371{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051319Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:13.371{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051318Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:13.371{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051317Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:13.371{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051316Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:13.371{53069400-D97C-62DF-0500-000000007002}412428C:\Windows\system32\csrss.exe{53069400-F115-62DF-3B03-000000007002}2176C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000051315Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:13.371{53069400-D97D-62DF-1E00-000000007002}19402768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53069400-F115-62DF-3B03-000000007002}2176C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000051314Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:13.372{53069400-F115-62DF-3B03-000000007002}2176C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53069400-D97C-62DF-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000051313Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:13.074{53069400-F114-62DF-3A03-000000007002}960372C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000051312Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:13.058{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BB4029C34918B8B02D579918FFD9CEB,SHA256=7E585CFA3A3EC9D63E4CD6065C2B03F680D4AB5276BE6AAED7890CE7A57C1937,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274143Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:14.899{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=845E7D20E8EC4BE508EF05FDF51471BB,SHA256=6AED004640ACE43BC28D84BAB2BA771AC7548908B7F8956FB99976CD4659F639,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000051355Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:14.714{53069400-D97E-62DF-2900-000000007002}27802800C:\Windows\system32\conhost.exe{53069400-F116-62DF-3D03-000000007002}3648C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051354Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:14.714{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051353Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:14.714{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051352Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:14.714{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051351Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:14.714{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051350Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:14.714{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051349Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:14.714{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051348Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:14.714{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051347Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:14.714{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051346Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:14.714{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051345Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:14.714{53069400-D97C-62DF-0500-000000007002}412540C:\Windows\system32\csrss.exe{53069400-F116-62DF-3D03-000000007002}3648C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000051344Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:14.714{53069400-D97D-62DF-1E00-000000007002}19402768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53069400-F116-62DF-3D03-000000007002}3648C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000051343Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:14.715{53069400-F116-62DF-3D03-000000007002}3648C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53069400-D97C-62DF-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000051342Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:14.339{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9457C55B18DB904392834644EC55C6E8,SHA256=ED254145535EE877E4F29712DAECBA904F68FE3D7D5E2834AD01BFE0CEBB253A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000051341Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:14.214{53069400-F116-62DF-3C03-000000007002}16643512C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274142Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:14.363{F81F30E6-D97C-62DF-0C00-000000006F02}8526024C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274141Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:14.363{F81F30E6-D97C-62DF-0C00-000000006F02}8526024C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274140Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:14.348{F81F30E6-D97C-62DF-0C00-000000006F02}8526024C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274139Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:14.348{F81F30E6-D97C-62DF-0C00-000000006F02}8526024C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274138Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:14.332{F81F30E6-D97C-62DF-0C00-000000006F02}8526024C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274137Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:14.332{F81F30E6-D97C-62DF-0C00-000000006F02}8526024C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051340Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:14.042{53069400-D97E-62DF-2900-000000007002}27802800C:\Windows\system32\conhost.exe{53069400-F116-62DF-3C03-000000007002}1664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051339Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:14.042{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051338Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:14.042{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051337Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:14.042{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051336Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:14.042{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051335Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:14.042{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051334Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:14.042{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051333Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:14.042{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051332Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:14.042{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051331Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:14.042{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051330Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:14.042{53069400-D97C-62DF-0500-000000007002}412540C:\Windows\system32\csrss.exe{53069400-F116-62DF-3C03-000000007002}1664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000051329Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:14.042{53069400-D97D-62DF-1E00-000000007002}19402768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53069400-F116-62DF-3C03-000000007002}1664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000051328Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:14.043{53069400-F116-62DF-3C03-000000007002}1664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{53069400-D97C-62DF-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000274144Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:15.931{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6ECF0BA68F0133095485D1671093AACB,SHA256=EC97B85FBF1215157FB9C460A05E53BD06B1F5F53A344DFA1E4BEF9F7B66E247,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000051370Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:15.542{53069400-F117-62DF-3E03-000000007002}40522384C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051369Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:15.386{53069400-D97E-62DF-2900-000000007002}27802800C:\Windows\system32\conhost.exe{53069400-F117-62DF-3E03-000000007002}4052C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051368Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:15.386{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051367Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:15.386{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051366Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:15.386{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051365Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:15.386{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051364Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:15.386{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051363Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:15.386{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051362Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:15.386{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051361Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:15.386{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051360Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:15.386{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051359Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:15.386{53069400-D97C-62DF-0500-000000007002}4121248C:\Windows\system32\csrss.exe{53069400-F117-62DF-3E03-000000007002}4052C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000051358Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:15.386{53069400-D97D-62DF-1E00-000000007002}19402768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53069400-F117-62DF-3E03-000000007002}4052C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000051357Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:15.387{53069400-F117-62DF-3E03-000000007002}4052C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53069400-D97C-62DF-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000051356Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:15.261{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B9B238A50E9F0935635038321EDC9A6,SHA256=871B554610221A8723569F1F128CD9A21ED43014199A17923CDA2BADF320C8CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051385Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:16.621{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=201E0CE47199558C6AD3929862B23CB3,SHA256=944BE2A8F270E4956BA0F00C39193C0EF57B0987E077FC0F0DA8362B95C9FE34,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000274150Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:14.119{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local64776-false10.0.1.12-8000- 10341000x8000000000000000274149Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:16.716{F81F30E6-D97A-62DF-0B00-000000006F02}6407868C:\Windows\system32\lsass.exe{F81F30E6-D978-62DF-0100-000000006F02}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+97d32|C:\Windows\system32\kerberos.DLL+7a118|C:\Windows\system32\kerberos.DLL+1454f|C:\Windows\system32\lsasrv.dll+2f5b1|C:\Windows\system32\lsasrv.dll+2d496|C:\Windows\system32\lsasrv.dll+32d29|C:\Windows\system32\lsasrv.dll+30677|C:\Windows\system32\lsasrv.dll+2f5b1|C:\Windows\system32\lsasrv.dll+176fd|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e 10341000x8000000000000000274148Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:16.631{F81F30E6-D97A-62DF-0B00-000000006F02}6407868C:\Windows\system32\lsass.exe{F81F30E6-D97C-62DF-1500-000000006F02}1228C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ee3c|C:\Windows\system32\lsasrv.dll+e76d4|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274147Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:16.616{F81F30E6-D97A-62DF-0B00-000000006F02}6406704C:\Windows\system32\lsass.exe{F81F30E6-D97C-62DF-1500-000000006F02}1228C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ee3c|C:\Windows\system32\lsasrv.dll+e76d4|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274146Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:16.177{F81F30E6-D97C-62DF-0C00-000000006F02}8526024C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274145Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:16.177{F81F30E6-D97C-62DF-0C00-000000006F02}8526024C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000051384Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:14.293{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal50890-false10.0.1.12-8000- 10341000x800000000000000051383Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:16.058{53069400-D97E-62DF-2900-000000007002}27802800C:\Windows\system32\conhost.exe{53069400-F118-62DF-3F03-000000007002}1980C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051382Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:16.058{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051381Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:16.058{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051380Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:16.058{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051379Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:16.058{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051378Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:16.058{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051377Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:16.058{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051376Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:16.058{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051375Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:16.058{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051374Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:16.058{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051373Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:16.058{53069400-D97C-62DF-0500-000000007002}4121248C:\Windows\system32\csrss.exe{53069400-F118-62DF-3F03-000000007002}1980C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000051372Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:16.058{53069400-D97D-62DF-1E00-000000007002}19402768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53069400-F118-62DF-3F03-000000007002}1980C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000051371Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:16.059{53069400-F118-62DF-3F03-000000007002}1980C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53069400-D97C-62DF-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000051387Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:17.683{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B1889904AF7A448B397EBFE45B6FE77,SHA256=3C4D24F9526C3BA0D6F5D9D0698011C778A962203DDF69161DF09B280CA076D9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000274158Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:15.724{F81F30E6-D978-62DF-0100-000000006F02}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:513a:aaff:ea8e:f17win-dc-ctus-attack-range-502.attackrange.local64779-truefe80:0:0:0:513a:aaff:ea8e:f17win-dc-ctus-attack-range-502.attackrange.local445microsoft-ds 354300x8000000000000000274157Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:15.724{F81F30E6-D978-62DF-0100-000000006F02}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:513a:aaff:ea8e:f17win-dc-ctus-attack-range-502.attackrange.local64779-truefe80:0:0:0:513a:aaff:ea8e:f17win-dc-ctus-attack-range-502.attackrange.local445microsoft-ds 354300x8000000000000000274156Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:15.640{F81F30E6-D97A-62DF-0B00-000000006F02}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local64778-false10.0.1.14win-dc-ctus-attack-range-502.attackrange.local389ldap 354300x8000000000000000274155Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:15.640{F81F30E6-D97C-62DF-1500-000000006F02}1228C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local64778-false10.0.1.14win-dc-ctus-attack-range-502.attackrange.local389ldap 354300x8000000000000000274154Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:15.626{F81F30E6-D97A-62DF-0B00-000000006F02}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:513a:aaff:ea8e:f17win-dc-ctus-attack-range-502.attackrange.local64777-truefe80:0:0:0:513a:aaff:ea8e:f17win-dc-ctus-attack-range-502.attackrange.local389ldap 354300x8000000000000000274153Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:15.625{F81F30E6-D97C-62DF-1500-000000006F02}1228C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:513a:aaff:ea8e:f17win-dc-ctus-attack-range-502.attackrange.local64777-truefe80:0:0:0:513a:aaff:ea8e:f17win-dc-ctus-attack-range-502.attackrange.local389ldap 23542300x8000000000000000274152Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:17.746{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=72E5532332F24254BF0D46BB2510A2BE,SHA256=86115384EC7B406A81C41E7FC7A23F84959E992FC359A36FEA2CA3D56638565D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274151Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:17.047{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F536BD0E4A20AF8E40800ED3B42F576,SHA256=9B0750AA4F9B21C0E980AA618AFF6F9FA2A118E3DD563C095F6BBFE2046910B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051386Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:17.121{53069400-D97D-62DF-1E00-000000007002}1940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=217453C5503FB5540196008C3E492C83,SHA256=9BB7D6807674383BFD10B6E09CB8AFFDAFCED2572100B3411274940E7685174C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051388Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:18.777{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9ECBC3D7ECA5ED272FE661285CF54BED,SHA256=1F49D093E96318CF302F5D924B9C7AF2B5CFC3D295308EDD0F9857E17302890B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274161Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:18.486{F81F30E6-D98A-62DF-2900-000000006F02}2592NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f0cc84e036a5373b\channels\health\respondent-20220726120948-097MD5=369DD308E953FB115558C25A87FA7436,SHA256=F8D888C61BEF90997E9DA9024DED7AC04FA2757575784335A529296D09245F18,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000274160Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:18.430{F81F30E6-D97A-62DF-0B00-000000006F02}6407868C:\Windows\system32\lsass.exe{F81F30E6-F100-62DF-1604-000000006F02}4600C:\Temp\dcrat.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ee3c|C:\Windows\system32\lsasrv.dll+e76d4|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000274159Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:18.096{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F80EAE8ABCD0E17F5B82EFD6748DD504,SHA256=4EF83B5869BAB18059C4ABF9152906784D9A52B0A629D7D6E3C91D7D620266B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051389Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:19.871{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2BEF3770B339098366CB986838AADD88,SHA256=5227A074E96A083F48B82D544F901632A12CD872443F9FAA4BB3441B19B9ECBE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000274166Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:17.501{F81F30E6-F0F7-62DF-1504-000000006F02}6672C:\Python310\python.exeATTACKRANGE\Administratortcpfalsefalse127.0.0.1win-dc-ctus-attack-range-502.attackrange.local64780-false127.0.0.1win-dc-ctus-attack-range-502.attackrange.local80http 354300x8000000000000000274165Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:17.501{F81F30E6-F100-62DF-1604-000000006F02}4600C:\Temp\dcrat.exeATTACKRANGE\Administratortcptruefalse127.0.0.1win-dc-ctus-attack-range-502.attackrange.local64780-false127.0.0.1win-dc-ctus-attack-range-502.attackrange.local80http 22542200x8000000000000000274164Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:17.481{F81F30E6-F100-62DF-1604-000000006F02}4600datagroup.ddns.net0::ffff:127.0.0.1;C:\Temp\dcrat.exe 23542300x8000000000000000274163Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:19.483{F81F30E6-D98A-62DF-2900-000000006F02}2592NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f0cc84e036a5373b\channels\health\surveyor-20220726120946-098MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274162Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:19.198{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1C792B7E8CF0C06ED4D26754D37976B,SHA256=2EEE6BC4B576ECB249064F257B1F36162CBE04E0EC32BF34DFF6FA397D67D1AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051390Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:20.964{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D41531CB60C917CA763B426A5BFE48D7,SHA256=761548284BFDADD4E05AFAD62F5718ABE062E3A218B69FFD908AEE952C984E58,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274167Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:20.235{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DFCA4F621D4620C5D893056C9A44C747,SHA256=7AC8A121114861812D0E09325EB2A797373422C49FDF0927858D5DD32465BA6F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000274169Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:19.138{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local64781-false10.0.1.12-8000- 23542300x8000000000000000274168Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:21.354{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA636E222CC0D6B582A6F8A4E0655D8C,SHA256=CE20110B66DFAC3D7A149290685BDFB11F461D4FF15D3209D38B2BD1CF4D1613,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274170Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:22.400{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD194DAEC2E1B959BDA53E7E84578DB0,SHA256=D2B0C58FD635329E86D7B2D2AD696B7E9D215B47759BCBE35ECADF85F74A358F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000051392Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:20.208{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal50891-false10.0.1.12-8000- 23542300x800000000000000051391Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:22.058{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F13C08EF566FD08EC6DFED5BD00187C0,SHA256=2177E474E8AA0A5C92CC63E3B54191B45A5F47094B31BB806ECA664CBDD9BFE6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274171Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:23.452{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A227FE662B0D14C249DAE617337D9D9F,SHA256=6A207A82DE6B76B4F3FD4D50CA27823CAE746813701F3554248FC804339C9FF8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051393Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:23.152{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BAA495E32472D200AE73809B46F58D7E,SHA256=463867095287A53477A7F2DE660D5CB9D4F838BB434004A211EEE0F2527E7514,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274172Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:24.483{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37968E298B3363C4F64AF413B5EEF872,SHA256=A235C987D3596F1DB7C7143305B8F1F474C66F7FB8875ECA07C34828E46EEF1E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051394Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:24.246{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=165A30ECFF98388B0BCF726CA43F977A,SHA256=49921ED3522085088F77D40740F7261EFFDF90B8CE64D0ECE8E9478899F9AE74,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051395Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:25.339{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE0A39212EAEE9B88193E0BA37B50439,SHA256=4973F0EADA0E15381E32B96AAC396AA7694DF75BEF00EF43773B918999963454,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274173Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:25.602{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8AA6E974695E2229BB2DD07A58872654,SHA256=D719C01EC8D9D3B95F6C110871B32032B7C2AC90174027187515A703FF969D33,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051396Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:26.433{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08FF835CE3FC0F3BEC1F961C40E4B8CD,SHA256=F7C002D212FB5C62D649E0F6EBC0E5CD6FAD26DC9E81560AE334A2641197F688,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274174Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:26.654{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D4BD3132D9B026A1A1C0686CBD8BFFA,SHA256=31E567203606CBCF502E1640FC9167A89B6439E7FC9003F700CE039E05D3B4F1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000274176Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:25.124{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local64782-false10.0.1.12-8000- 23542300x8000000000000000274175Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:27.700{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE4CD1F248B1AE7F26BD3722A6EF38D3,SHA256=EBF3D2223F98A1DBBD8C22555158D9C37729A2699C1E7BD813349FE3B6EB4C49,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051398Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:27.527{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76C46060BC21675CE1ADCF4DE321439F,SHA256=36A8C43548EA43F075C59222BCDB41E2C88E51B326BB2CECD7F4A046F956E913,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000051397Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:26.224{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal50892-false10.0.1.12-8000- 23542300x8000000000000000274178Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:28.817{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=219EC5A226C27EC2CC36C5C236E3C435,SHA256=DD89BE733595DE136D42F60CBA9F3B9552E36A5EB486E2EDAEE94F7F926FB51A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051399Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:28.621{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=554183904D0217A56A97B2C4B5B3AEEA,SHA256=F421127DB31414B710012B39D82E9DD7A14418BFA78233038D1F2F5E13110FB6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274177Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:28.585{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BBBEAB691ED60AEAD1F3A67399EF776D,SHA256=137BA33D22D8C4078AC3C16086BE0422512A83AEEC1F57A78E795A279A232E5D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000274187Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:29.951{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-D9FD-62DF-AF00-000000006F02}5676C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274186Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:29.951{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-D9FD-62DF-AF00-000000006F02}5676C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274185Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:29.951{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-D9FD-62DF-AF00-000000006F02}5676C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274184Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:29.951{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-D9FD-62DF-AF00-000000006F02}5676C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274183Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:29.935{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-D9FD-62DF-B000-000000006F02}5668C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274182Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:29.935{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-D9FD-62DF-B000-000000006F02}5668C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274181Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:29.935{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-D9FD-62DF-B000-000000006F02}5668C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274180Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:29.935{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-D9FD-62DF-B000-000000006F02}5668C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000274179Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:29.867{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8BED69CFFF98B6A70514A06B9177358,SHA256=FF69F3965660F45BA08C5617B0DC4BDCDDC25BF84DC682125901E8A3DB299792,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051400Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:29.714{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EDFE22ED263E33F315CB1694ABA5ABEC,SHA256=81F0284440104142D5F6D35069418A4CA17EC8C6C2705C7518273AB4882F9857,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274188Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:30.917{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29C4B8875A01A627451254AAB3BD068D,SHA256=661B435F9490DAE084A0FA7B57C46E77F0EBF89586A08879D42B67DE5AF858DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051401Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:30.808{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D88AF9CDBABAAAF55E8C61D635493152,SHA256=36F84EC7403952B4E12B7C371EBF592C308C0DB146780EBE0955B0A730B22714,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274189Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:31.482{F81F30E6-D98A-62DF-2E00-000000006F02}2780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=6FF802A02EE51ABDCFD1E6772C1A4120,SHA256=19618F55BBD672A6A6619460BB509A07328F6D64D10BFF9F5458AF9FA3609DB3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000274207Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:32.882{F81F30E6-D98B-62DF-3600-000000006F02}31323152C:\Windows\system32\conhost.exe{F81F30E6-F128-62DF-1804-000000006F02}32C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274206Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:32.882{F81F30E6-D97C-62DF-0C00-000000006F02}8526024C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274205Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:32.882{F81F30E6-D97C-62DF-0C00-000000006F02}8526024C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274204Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:32.882{F81F30E6-D97C-62DF-0C00-000000006F02}8526024C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274203Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:32.882{F81F30E6-D97C-62DF-0C00-000000006F02}8526024C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274202Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:32.882{F81F30E6-D97A-62DF-0500-000000006F02}412540C:\Windows\system32\csrss.exe{F81F30E6-F128-62DF-1804-000000006F02}32C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000274201Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:32.882{F81F30E6-D98A-62DF-2E00-000000006F02}27803956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F81F30E6-F128-62DF-1804-000000006F02}32C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000274200Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:32.883{F81F30E6-F128-62DF-1804-000000006F02}32C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F81F30E6-D97A-62DF-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000274199Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:32.397{F81F30E6-F128-62DF-1704-000000006F02}55243352C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274198Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:32.217{F81F30E6-D98B-62DF-3600-000000006F02}31323152C:\Windows\system32\conhost.exe{F81F30E6-F128-62DF-1704-000000006F02}5524C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274197Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:32.215{F81F30E6-D97C-62DF-0C00-000000006F02}8526024C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274196Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:32.215{F81F30E6-D97C-62DF-0C00-000000006F02}8526024C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274195Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:32.214{F81F30E6-D97C-62DF-0C00-000000006F02}8526024C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274194Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:32.214{F81F30E6-D97C-62DF-0C00-000000006F02}8526024C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274193Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:32.214{F81F30E6-D97A-62DF-0500-000000006F02}412540C:\Windows\system32\csrss.exe{F81F30E6-F128-62DF-1704-000000006F02}5524C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000274192Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:32.214{F81F30E6-D98A-62DF-2E00-000000006F02}27803956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F81F30E6-F128-62DF-1704-000000006F02}5524C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000274191Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:32.214{F81F30E6-F128-62DF-1704-000000006F02}5524C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{F81F30E6-D97A-62DF-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000274190Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:32.035{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5635E7B67F64E78E003CF48B1554081,SHA256=F70F7C37EC3BFF812DF7063FD420E67127A51D06F3331F71DAB81FD05228765E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051402Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:32.011{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B403E4D6EBAC9F8465EE2E2CD85DB21,SHA256=5020558956D00BAA7FA98DA16F02A23D41B2D6EDE616797D8EED595F97875A6D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000274218Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:31.117{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local64783-false10.0.1.12-8000- 10341000x8000000000000000274217Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:33.434{F81F30E6-D98B-62DF-3600-000000006F02}31323152C:\Windows\system32\conhost.exe{F81F30E6-F129-62DF-1904-000000006F02}8152C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274216Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:33.434{F81F30E6-D97C-62DF-0C00-000000006F02}8526024C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274215Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:33.434{F81F30E6-D97C-62DF-0C00-000000006F02}8526024C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274214Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:33.434{F81F30E6-D97C-62DF-0C00-000000006F02}8526024C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274213Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:33.434{F81F30E6-D97C-62DF-0C00-000000006F02}8526024C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274212Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:33.434{F81F30E6-D97A-62DF-0500-000000006F02}41292C:\Windows\system32\csrss.exe{F81F30E6-F129-62DF-1904-000000006F02}8152C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000274211Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:33.434{F81F30E6-D98A-62DF-2E00-000000006F02}27803956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F81F30E6-F129-62DF-1904-000000006F02}8152C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000274210Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:33.436{F81F30E6-F129-62DF-1904-000000006F02}8152C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F81F30E6-D97A-62DF-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000274209Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:33.082{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB3B313324B09F5DE10D3DEF0C6EFE86,SHA256=ADE3E52194D63947188BECF341C5E34984CE651C17C15BD8C8B44DEB9199E7D5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000274208Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:33.066{F81F30E6-F128-62DF-1804-000000006F02}327364C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000051405Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:33.964{53069400-D97D-62DF-1100-000000007002}980NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=29602DBA82A4686B934ED0F97558C698,SHA256=49E739D48596738DC94C9F4E019184B4A5E75D3958CE02532CA878B65EA5913C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000051404Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:32.162{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal50893-false10.0.1.12-8000- 23542300x800000000000000051403Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:33.105{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=413F489BEC8AEED583B0C8AFBDD53CC1,SHA256=069052C3864274D9EC09746AC9D3B3596044675CA30B89508D14B7B1A05311F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051406Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:34.199{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89FB8FC68029B9D1B2EA5A11ED52183D,SHA256=69D407F25E846F01B137591CF3DBA0F04F6D82F5BF5E8B526553E993FA523359,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000274248Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:34.965{F81F30E6-F12A-62DF-1B04-000000006F02}66966816C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274247Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:34.796{F81F30E6-D98B-62DF-3600-000000006F02}31323152C:\Windows\system32\conhost.exe{F81F30E6-F12A-62DF-1B04-000000006F02}6696C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274246Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:34.796{F81F30E6-D97C-62DF-0C00-000000006F02}8526024C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274245Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:34.796{F81F30E6-D97C-62DF-0C00-000000006F02}8526024C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274244Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:34.796{F81F30E6-D97C-62DF-0C00-000000006F02}8526024C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274243Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:34.796{F81F30E6-D97C-62DF-0C00-000000006F02}8526024C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274242Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:34.796{F81F30E6-D97A-62DF-0500-000000006F02}412540C:\Windows\system32\csrss.exe{F81F30E6-F12A-62DF-1B04-000000006F02}6696C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000274241Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:34.796{F81F30E6-D98A-62DF-2E00-000000006F02}27803956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F81F30E6-F12A-62DF-1B04-000000006F02}6696C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000274240Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:34.796{F81F30E6-F12A-62DF-1B04-000000006F02}6696C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F81F30E6-D97A-62DF-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000274239Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:34.680{F81F30E6-D97C-62DF-1000-000000006F02}448NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=7C439B7F00D460AF6614E227899CE8E3,SHA256=F8820E2287801DEEAE1E6D9EC8F6CE515DD6059DB91B7305064D0BB9FE854575,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274238Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:34.514{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F22C70808D3E4978872556C3DA1B5971,SHA256=BCF19BE5B0335A8385BE16CF7A91756A650504EB64B41AD1371BE06082D4A6D5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000274237Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:34.449{F81F30E6-DE12-62DF-7B01-000000006F02}62607320C:\Users\Administrator\Downloads\dnSpy.exe{F81F30E6-F100-62DF-1604-000000006F02}4600C:\Temp\dcrat.exe0x1C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+5559f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+6d93|UNKNOWN(00007FF973F14401) 10341000x8000000000000000274236Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:34.334{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274235Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:34.334{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274234Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:34.334{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274233Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:34.334{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274232Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:34.334{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274231Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:34.334{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274230Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:34.334{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274229Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:34.334{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274228Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:34.280{F81F30E6-F12A-62DF-1A04-000000006F02}64285284C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000274227Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:34.118{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D355C9F64A7B02F97B493FC991622BE,SHA256=947855FAE170127A9F8DCA2BACC3DB00AD68589F878DD93A4D1E6FA710C8DF50,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000274226Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:34.116{F81F30E6-D98B-62DF-3600-000000006F02}31323152C:\Windows\system32\conhost.exe{F81F30E6-F12A-62DF-1A04-000000006F02}6428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274225Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:34.114{F81F30E6-D97C-62DF-0C00-000000006F02}8526024C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274224Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:34.114{F81F30E6-D97C-62DF-0C00-000000006F02}8526024C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274223Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:34.114{F81F30E6-D97C-62DF-0C00-000000006F02}8526024C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274222Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:34.114{F81F30E6-D97C-62DF-0C00-000000006F02}8526024C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274221Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:34.114{F81F30E6-D97A-62DF-0500-000000006F02}412540C:\Windows\system32\csrss.exe{F81F30E6-F12A-62DF-1A04-000000006F02}6428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000274220Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:34.113{F81F30E6-D98A-62DF-2E00-000000006F02}27803956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F81F30E6-F12A-62DF-1A04-000000006F02}6428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000274219Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:34.113{F81F30E6-F12A-62DF-1A04-000000006F02}6428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F81F30E6-D97A-62DF-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000051407Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:35.292{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7238027F29E3E27BF8BAE878745131BA,SHA256=6888F22FC6C34A6DB781D55A5936A4B28A8E6E31EBDBADED0DEDF674594B3653,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000274257Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:35.465{F81F30E6-D98B-62DF-3600-000000006F02}31323152C:\Windows\system32\conhost.exe{F81F30E6-F12B-62DF-1C04-000000006F02}7884C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274256Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:35.465{F81F30E6-D97C-62DF-0C00-000000006F02}8526024C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274255Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:35.465{F81F30E6-D97C-62DF-0C00-000000006F02}8526024C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274254Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:35.465{F81F30E6-D97C-62DF-0C00-000000006F02}8526024C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274253Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:35.465{F81F30E6-D97C-62DF-0C00-000000006F02}8526024C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274252Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:35.465{F81F30E6-D97A-62DF-0500-000000006F02}41292C:\Windows\system32\csrss.exe{F81F30E6-F12B-62DF-1C04-000000006F02}7884C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000274251Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:35.465{F81F30E6-D98A-62DF-2E00-000000006F02}27803956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F81F30E6-F12B-62DF-1C04-000000006F02}7884C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000274250Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:35.466{F81F30E6-F12B-62DF-1C04-000000006F02}7884C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F81F30E6-D97A-62DF-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000274249Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:35.213{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ACEDE4FA86D879AF2D1418CEE234AF32,SHA256=A9C4C86F59D9DDC81CB73202260FCA0CD395F1FF51C58C0FABE3EA79F7F8B677,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051408Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:36.386{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E795F02BCAB00200EF1F4E2884361EE,SHA256=4EC5E3D2A24DB978C4FCBEECD40B74BA75FA31C311FF2B1BA1B7A987C67F02C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274266Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:36.279{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1734CE5BE4FAFEC39B901E67C3C0E3B8,SHA256=80AFA30E5F7C3B039F9EAB7538555D83D591C4298ECEEE648CE444158F42EA56,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000274265Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:36.133{F81F30E6-D98B-62DF-3600-000000006F02}31323152C:\Windows\system32\conhost.exe{F81F30E6-F12C-62DF-1D04-000000006F02}7840C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274264Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:36.133{F81F30E6-D97C-62DF-0C00-000000006F02}8526024C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274263Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:36.133{F81F30E6-D97C-62DF-0C00-000000006F02}8526024C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274262Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:36.133{F81F30E6-D97C-62DF-0C00-000000006F02}8526024C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274261Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:36.133{F81F30E6-D97C-62DF-0C00-000000006F02}8526024C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274260Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:36.133{F81F30E6-D97A-62DF-0500-000000006F02}412428C:\Windows\system32\csrss.exe{F81F30E6-F12C-62DF-1D04-000000006F02}7840C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000274259Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:36.133{F81F30E6-D98A-62DF-2E00-000000006F02}27803956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F81F30E6-F12C-62DF-1D04-000000006F02}7840C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000274258Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:36.133{F81F30E6-F12C-62DF-1D04-000000006F02}7840C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F81F30E6-D97A-62DF-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000051409Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:37.480{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=647670BF649220130105D51A3DBE0978,SHA256=48158C8E753B63AD25B6E8956AA559BC34FF67FDC3FBD9B349D78C557303FC57,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000274275Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:37.415{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-EDDF-62DF-9C03-000000006F02}928C:\Python310\pythonw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274274Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:37.415{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-EDDF-62DF-9C03-000000006F02}928C:\Python310\pythonw.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274273Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:37.415{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-EDDF-62DF-9C03-000000006F02}928C:\Python310\pythonw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274272Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:37.415{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-EDDF-62DF-9C03-000000006F02}928C:\Python310\pythonw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274271Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:37.413{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-EDDF-62DF-9C03-000000006F02}928C:\Python310\pythonw.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274270Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:37.413{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-EDDF-62DF-9C03-000000006F02}928C:\Python310\pythonw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274269Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:37.413{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-EDDF-62DF-9C03-000000006F02}928C:\Python310\pythonw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274268Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:37.413{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-EDDF-62DF-9C03-000000006F02}928C:\Python310\pythonw.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000274267Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:37.311{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B9CAC946413A548C26F7A2E5C83B536,SHA256=32B66983FC19D0708433298CCDCA696144D3E2E8954BA3ECE09F1855A9460306,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000051411Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:37.271{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal50894-false10.0.1.12-8000- 23542300x800000000000000051410Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:38.574{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BDD43ECFE253EB29CB66B5B179432D30,SHA256=86F414308DF521FF5DEBCE1A8E21B1390238907C76D4E1EBB67F38F3355DF619,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274276Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:38.413{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE14AF43B8A5CE0400DA5789627D7C6D,SHA256=502129460AB440594DFD66F00DAF7AB125370B22AD3EEC813BAE428F96B43A73,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051412Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:39.667{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A5B350D4B93CE516DA665B738C3FCD8,SHA256=83399F1FD7FF0FD9BF65CC8469B8410341406C1B7394A5C81581B90CF50AC2EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274278Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:39.546{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8682E81E1C7666338178DED83C7C6E9,SHA256=91F7AA31DE8B0F48ECF74045AFEB6347F60C65B34D43D4CF04D620FF03ED293E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000274277Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:36.218{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local64784-false10.0.1.12-8000- 23542300x800000000000000051413Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:40.761{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB51A4E68E8C082D37FC73F894E6D723,SHA256=B7D20439B5B32CCE71C5D531E5F85299D239105E4ACF9CB0C84AD84FFBB5B86F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274279Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:40.577{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=717A0DED0C51095C5BA355695B58614E,SHA256=4D548B62371DAD96170013056F1EBF182D7AEFF9FB25DADD74CDCCB0FEE180EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274280Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:41.632{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93E82E46CC4762BE0A44DDD18DF58DFA,SHA256=4825FDCFDBCAE4206582346E8DEAB80811231E78D8035F85AFB1CFE65276539B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051414Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:41.855{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EAA1AEE0FDE3D4DFC3133ABB9E5B13A3,SHA256=9707ED12C92D7028028FD63B8C74D402828ED3A201749CD0F36E655850244F0A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051415Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:42.949{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B58A88693BDC40ECF112474E270B6F2F,SHA256=F3B87C3A7F0B730CA23393443E8A062DB19729BE26536CB99470D78AD9E2C144,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274281Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:42.678{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BD91180393723BC29801175C1AE9B85,SHA256=3A749A14989AC63D54FE6C68B07D05C44D45BCDEDB3190892FEB2B8BE7DCA4F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274295Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:43.714{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8BB0DA195E59B34878E21BC8FA7EBCEB,SHA256=25FE4251FB2D47EEB2103FF397C3C245D1100E44F294D65D9C9B7EC27B210788,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000274294Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-SetValue2022-07-26 13:50:43.446{F81F30E6-D98A-62DF-2A00-000000006F02}2640C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\AA1F4EAC-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_AA1F4EAC-0000-0000-0000-100000000000.XML 13241300x8000000000000000274293Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-SetValue2022-07-26 13:50:43.446{F81F30E6-D98A-62DF-2A00-000000006F02}2640C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\EDB59A4A-4A6E-4084-9A54-2EC7F36D7D11\Config SourceDWORD (0x00000001) 13241300x8000000000000000274292Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-SetValue2022-07-26 13:50:43.446{F81F30E6-D98A-62DF-2A00-000000006F02}2640C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\EDB59A4A-4A6E-4084-9A54-2EC7F36D7D11\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_EDB59A4A-4A6E-4084-9A54-2EC7F36D7D11.XML 10341000x8000000000000000274291Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:43.430{F81F30E6-D97A-62DF-0B00-000000006F02}640692C:\Windows\system32\lsass.exe{F81F30E6-D98A-62DF-2A00-000000006F02}2640C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ee3c|C:\Windows\system32\lsasrv.dll+e76d4|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274290Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:43.430{F81F30E6-D97A-62DF-0B00-000000006F02}640692C:\Windows\system32\lsass.exe{F81F30E6-D98A-62DF-2A00-000000006F02}2640C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ee3c|C:\Windows\system32\lsasrv.dll+e76d4|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274289Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:43.193{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-D9FD-62DF-AF00-000000006F02}5676C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274288Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:43.193{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-D9FD-62DF-AF00-000000006F02}5676C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274287Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:43.193{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-D9FD-62DF-AF00-000000006F02}5676C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274286Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:43.193{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-D9FD-62DF-AF00-000000006F02}5676C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274285Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:43.193{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-D9FD-62DF-B000-000000006F02}5668C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274284Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:43.193{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-D9FD-62DF-B000-000000006F02}5668C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274283Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:43.193{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-D9FD-62DF-B000-000000006F02}5668C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274282Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:43.193{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-D9FD-62DF-B000-000000006F02}5668C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000274300Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:44.745{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A5517EC431A5C7B8A4F1081CA2A6A2D,SHA256=1A025A74CD457407E37FC84B51A4A3849101CD97670EE4682F8F26B68847EA90,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000051417Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:42.287{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal50895-false10.0.1.12-8000- 23542300x800000000000000051416Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:44.042{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C4A504F77FA20D8A7113507FB697224,SHA256=A5D814156EA880D4BD0729FF933254E6D8D6730448FAAD45F087BF87910B0059,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000274299Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:42.114{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local64785-false10.0.1.12-8000- 10341000x8000000000000000274298Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:44.276{F81F30E6-D97A-62DF-0B00-000000006F02}640692C:\Windows\system32\lsass.exe{F81F30E6-D98A-62DF-2A00-000000006F02}2640C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ee3c|C:\Windows\system32\lsasrv.dll+e76d4|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274297Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:44.276{F81F30E6-D97A-62DF-0B00-000000006F02}640692C:\Windows\system32\lsass.exe{F81F30E6-D98A-62DF-2A00-000000006F02}2640C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ee3c|C:\Windows\system32\lsasrv.dll+e76d4|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274296Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:44.276{F81F30E6-D97A-62DF-0B00-000000006F02}640692C:\Windows\system32\lsass.exe{F81F30E6-D98A-62DF-2A00-000000006F02}2640C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ee3c|C:\Windows\system32\lsasrv.dll+e76d4|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000274310Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:45.877{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60FC85E97CBF0CFC1858E423DF24944E,SHA256=E9FF55FB1D30961E63BEB2CCB29C396ECF13B5B157C1BB28013DBFD6A8D37C8D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051419Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:45.792{53069400-D97D-62DF-1E00-000000007002}1940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=179B82772CA5CC0B7A1E30B10EC3DA68,SHA256=BB39CA45713EEF29F8964A50A9025571F90083A2F6169622A7CAAB4EAC5409CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051418Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:45.136{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=073B8B28EC668B74529AA7C0E87FB954,SHA256=40F04810F0E1AAEC4491F66B94F9AA7D2246C27ADA6F62D8A95C191337B65D1A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274309Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:45.362{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5E57A2557173441D92C1B0A7294C68BA,SHA256=AA7E930CFEBC6A7F97D7FBD274D637741D2B373B1DA7E264C1CD5C6C5E62A3D6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000274308Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:45.277{F81F30E6-D97A-62DF-0B00-000000006F02}6406704C:\Windows\system32\lsass.exe{F81F30E6-D98A-62DF-2A00-000000006F02}2640C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ee3c|C:\Windows\system32\lsasrv.dll+e76d4|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274307Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:45.277{F81F30E6-D97A-62DF-0B00-000000006F02}6406704C:\Windows\system32\lsass.exe{F81F30E6-D98A-62DF-2A00-000000006F02}2640C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ee3c|C:\Windows\system32\lsasrv.dll+e76d4|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274306Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:45.115{F81F30E6-D97A-62DF-0B00-000000006F02}640692C:\Windows\system32\lsass.exe{F81F30E6-D98A-62DF-2A00-000000006F02}2640C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ee3c|C:\Windows\system32\lsasrv.dll+e76d4|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274305Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:45.115{F81F30E6-D97A-62DF-0B00-000000006F02}640692C:\Windows\system32\lsass.exe{F81F30E6-D98A-62DF-2A00-000000006F02}2640C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ee3c|C:\Windows\system32\lsasrv.dll+e76d4|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274304Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:45.115{F81F30E6-D97A-62DF-0B00-000000006F02}640692C:\Windows\system32\lsass.exe{F81F30E6-D98A-62DF-2A00-000000006F02}2640C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ee3c|C:\Windows\system32\lsasrv.dll+e76d4|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000274303Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:42.455{F81F30E6-D98A-62DF-2D00-000000006F02}2676C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local57413- 354300x8000000000000000274302Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:42.436{F81F30E6-D97C-62DF-0D00-000000006F02}912C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:513a:aaff:ea8e:f17win-dc-ctus-attack-range-502.attackrange.local64786-truefe80:0:0:0:513a:aaff:ea8e:f17win-dc-ctus-attack-range-502.attackrange.local135epmap 354300x8000000000000000274301Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:42.436{F81F30E6-D98A-62DF-2A00-000000006F02}2640C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:513a:aaff:ea8e:f17win-dc-ctus-attack-range-502.attackrange.local64786-truefe80:0:0:0:513a:aaff:ea8e:f17win-dc-ctus-attack-range-502.attackrange.local135epmap 23542300x8000000000000000274314Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:46.910{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=407ACF34A6AAED70DDCB4ADDC1701F1E,SHA256=1D75A6F05B0B4E887D4CB4BDF3FAD32881013087DA5BDBA7E090787010B89B79,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051420Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:46.230{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF3EE735251250B6933466F7582AF858,SHA256=048D63567297B5326D3221D91ABF5E2B40F3561954B7BE62A829A28DC762FC28,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000274313Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:43.288{F81F30E6-D98A-62DF-2D00-000000006F02}2676C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local59005- 354300x8000000000000000274312Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:43.280{F81F30E6-D97A-62DF-0B00-000000006F02}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local64787-false10.0.1.14win-dc-ctus-attack-range-502.attackrange.local389ldap 354300x8000000000000000274311Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:43.280{F81F30E6-D98A-62DF-2A00-000000006F02}2640C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local64787-false10.0.1.14win-dc-ctus-attack-range-502.attackrange.local389ldap 354300x800000000000000051423Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:45.865{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal50896-false10.0.1.12-8089- 23542300x800000000000000051422Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:47.324{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E51CE2847C87427D503D8189021C9D6A,SHA256=CB2CADCC7B6DD175161BF111851E20AA747B14FBFCF8589272959811E15B6D64,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000274316Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:44.114{F81F30E6-D97A-62DF-0B00-000000006F02}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local64788-false10.0.1.14win-dc-ctus-attack-range-502.attackrange.local389ldap 354300x8000000000000000274315Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:44.114{F81F30E6-D98A-62DF-2A00-000000006F02}2640C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local64788-false10.0.1.14win-dc-ctus-attack-range-502.attackrange.local389ldap 23542300x800000000000000051421Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:47.167{53069400-D97D-62DF-1E00-000000007002}1940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=082049621A22E250424E6AEEDCD4A64D,SHA256=193FD8CC36BBA05BEF7CBF32F782302FEDC10A47CD6871DAE3723EE640009AF2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051424Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:48.417{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6232780D372D2F5F3EE0655C955DD543,SHA256=F5CBD878940FAF211AE159AF8866C78D25F7773EC789E13D388D796540DE4608,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274319Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:48.758{F81F30E6-D98A-62DF-2E00-000000006F02}2780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=375770933B088FA1013E9C17F7ACFA9C,SHA256=12DC730ED0C3CEF15E2072F184E79ED116E6C7FEA32581084F03B1ADA228E22B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274318Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:48.459{F81F30E6-DAB4-62DF-BF00-000000006F02}2464ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\e57grxtg.default-release\datareporting\glean\db\data.safe.binMD5=8ED9947FE6A0428F36A6BC3C4EF03A21,SHA256=EE7FB5E653ADDC009F07B80EA25B8B413BA4F45BCE106033631EF0C72AFCE889,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274317Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:48.043{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F08D2A4A514BB4AA3B0526DC6CAB3C77,SHA256=339C808B3EF2D227F52545CD1CA56C2379DDCE3B6BEA693DA0DAAC97238C12D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051426Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:49.511{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AFD040BC2FDEB63B4E4CCFC9AFBF62B3,SHA256=D2513CAA78BBB7F2B362D7D2EF0197D2810BCBEB66B34D7FD30CC320A95D648D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274320Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:49.173{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=244AAF05A6948868A4E92F3035A907EE,SHA256=25D6039688B2E2F508A31A577AE9979C6148A5408E1AB512F0828FCF72A102A4,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000051425Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:48.115{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal50897-false10.0.1.12-8000- 23542300x800000000000000051427Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:50.605{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA349E7C5AFD15895880FE7BF34BBAEA,SHA256=A3AC0ECF57721CEA2B7B233AB6E51C9678E8BE8E88DDD9557BB20CDC2462EF56,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000274323Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:47.747{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local64790-false10.0.1.12-8089- 354300x8000000000000000274322Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:47.233{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local64789-false10.0.1.12-8000- 23542300x8000000000000000274321Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:50.205{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2C080907171B18EC1EDFB24A2E6A664,SHA256=4D7C12337F16C721982F95FA9CB3139627DA51AD9C676DC290C40AA49CB0E2DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051428Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:51.699{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6996123B374372010E9707E0FE1EA6A,SHA256=3A332436D0A7C8A79D1B1AECD4617055A5797764671AF8B9E52CE0A42E78B68F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274324Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:51.255{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4A998A8EEA6641B67D857F2CE224A9C,SHA256=2A864CB6BA2AC4D93D442946B535E8600550339857A72A627FBB47C5C961AB4D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051429Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:52.792{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=617D5FB57B3F2DD8A2EAB9E02B4E63A7,SHA256=ED48F9CB72A59A0D5E5CCB1163F5394CD722B7D2C549635DDFAA674F4BBE574D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274325Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:52.370{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5642C3F5443E804C74AACBD54F72446F,SHA256=A51137D2AC2809BD456AF886DB187AA68393F09C829953A734487E7C99BB0689,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051430Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:53.886{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1FCBAE8738089D590035F9A09716BDA0,SHA256=110C3F0B14812459D6F10F2FA33D74AF20089E8DC5D959D635CED1A8ABA819CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274327Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:53.469{F81F30E6-DAB4-62DF-BF00-000000006F02}2464ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\e57grxtg.default-release\datareporting\glean\db\data.safe.binMD5=7343AE3BEA8C2C2930BDE4B3E1FBBC61,SHA256=8379E1FB3C0A54C8FF5378FBF117B3E979E107571F1A2287555F9DD62A55DC16,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274326Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:53.402{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0BDF006F76071BDF53861A4DC76574E4,SHA256=D29C2E7BAA347CBAD7F9BA84A3FD021F83A17C849793A61CD188FCA3BCBE92BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051432Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:54.980{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9CD7A4AD3E84FCBDCF8D9EF90F0263DD,SHA256=42AD6F6F55CE4D774E22218B21C7F6239D639696350824D69C1199B2767B71EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274328Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:54.502{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA1EE5CF419083EC02616582E4CCA0EA,SHA256=A7F91EA77F928277B0713B615D580F4E9747AAE9CD9177B93401FAE253B4E1F8,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000051431Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:53.177{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal50898-false10.0.1.12-8000- 23542300x8000000000000000274329Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:55.625{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A93070523B6DA04331C414938BE72CF,SHA256=A549F02FE8E1FCC68F6905D302D0D2E168CE0A801CBB9A038FA70010051D924A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274331Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:56.725{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=648DF919298125AD2CA9B6BDEBED8067,SHA256=6573B5F173110B212B9D7BD94F9BB04105B0EAC75E9411EB3EEC1146526652B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051433Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:56.074{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48A015EFF8135215C484AA4D788AE3D0,SHA256=E3E8FBC409EC2B788B2537F57A78127681096E506B7D1299098224ACF4AC313C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000274330Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:53.058{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local64791-false10.0.1.12-8000- 23542300x8000000000000000274332Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:57.870{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D91E45E90FF0D21D20C1BAD5E303A69C,SHA256=ED1076D9E2AF9C329B472E5CA2DA5F6C8294BC6059B34887806CAE70908CCA25,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051434Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:57.167{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=830375D293BBA8DBACB63AF9093D0959,SHA256=3DDAC201440488F8DEFEB4E6FC6ADA4F6F9DC9862BB7C45DE9505398C890D54C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051435Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:58.261{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A9B4AAFF7B6D5A89FB991B7EE062408,SHA256=A08F469E099AEF43AF7490D97B136979133A5275CD39F226ADB1CA5C9B395CF0,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000051437Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:58.318{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal50899-false10.0.1.12-8000- 23542300x800000000000000051436Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:59.355{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2071DC00FA6F552F33CFD54F4E7F0AA1,SHA256=98BAE7EABC85496DEB0F2A57B2160912107A69320245AD3C894DB3DA38B5A18A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274333Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:59.002{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DAACEDDD04AA8D1531308E7A8501F50F,SHA256=077D4C5F7372940E9762D24A0C73C112156A5107AB8823E95469E4828C31E94F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051438Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:51:00.449{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ECEB8C8F68DBD501CD09F2090BE3F4AE,SHA256=7A155B0295B5711ADFC3DF15284EE599D42224FE4FF11441F72D80F139E30D14,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274334Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:00.052{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D06DC5A0347DDA09FDFF2981364D646A,SHA256=853676EADE4F9DF2DA2A621EE54C374BAEC120F5CEBE6AAF43955E03FE43AAE7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051439Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:51:01.542{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06C19BEA81F6070B1C795AFAC83C35EB,SHA256=2D4CBAE4FD25323452C5CBD33670A15870A609C38ED2AFBF0D73741B716C1D62,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274337Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:01.752{F81F30E6-D98A-62DF-2E00-000000006F02}2780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=0DF94D542E03A0675E8F491C1066A2E5,SHA256=BD81A72E34AB355CAB6FA1FC750CEBEC92A4512812E551811C883EE8C34AB1DC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000274336Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:58.058{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local64792-false10.0.1.12-8000- 23542300x8000000000000000274335Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:01.084{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E31AE9279F8572821CAA01FFCD90A17A,SHA256=62B2A94EF71EB8D43A2B722B9F94B57511D372BDC669C6227D19653F951E0439,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051440Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:51:02.636{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66435F3A7514528C8C18D28D5D787CFF,SHA256=E47A7E255E7990A14BBF686C6D7E56BE7C1CED39939538858C2878A8D6B95C28,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274338Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:02.136{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3FBA9DDA064331A35EC472467816480D,SHA256=CB2D85F631EA91B86105729C677B8864CF4ED6650C75C260F0FEBCB6509DE8E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051441Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:51:03.730{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=245678FD3B25E54B8A7D4C3707822B73,SHA256=4CC2D39E5DB8BE5AD8A6CD8BD0331C25AE8610C6E836A505B24612CC0393D452,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274348Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:03.650{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=31FE9BF353E0BCCA94699071701D4348,SHA256=8204C7CB2ADFACE01CDF3E6D1421BFF8DF47E2A5B2803CE2DBA81DC6E24B9FCA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000274347Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:03.303{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-EDDF-62DF-9C03-000000006F02}928C:\Python310\pythonw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274346Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:03.303{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-EDDF-62DF-9C03-000000006F02}928C:\Python310\pythonw.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274345Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:03.303{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-EDDF-62DF-9C03-000000006F02}928C:\Python310\pythonw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274344Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:03.303{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-EDDF-62DF-9C03-000000006F02}928C:\Python310\pythonw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274343Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:03.303{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-EDDF-62DF-9C03-000000006F02}928C:\Python310\pythonw.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274342Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:03.303{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-EDDF-62DF-9C03-000000006F02}928C:\Python310\pythonw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274341Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:03.303{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-EDDF-62DF-9C03-000000006F02}928C:\Python310\pythonw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274340Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:03.303{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-EDDF-62DF-9C03-000000006F02}928C:\Python310\pythonw.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000274339Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:03.282{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60008EF87D0D1BE946E5E88B2303BF86,SHA256=9AD2C31B97FE92D1D52797F231534441DF441FDAC2373385DC1E6CB067E851F9,IMPHASH=00000000000000000000000000000000falsetrue 2354<