23542300x8000000000000000276851Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:35.691{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2902232CE9D365E98A45C6EAE573851,SHA256=7D92D040751A00B734CF012B2988C7B6C5155DABC7114FB6D2544384C8717360,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000276850Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:35.591{F81F30E6-F3BF-62DF-7504-000000006F02}65006896C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276849Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:35.407{F81F30E6-D98B-62DF-3600-000000006F02}31323152C:\Windows\system32\conhost.exe{F81F30E6-F3BF-62DF-7504-000000006F02}6500C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276848Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:35.407{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276847Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:35.407{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276846Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:35.407{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276845Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:35.407{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276844Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:35.407{F81F30E6-D97A-62DF-0500-000000006F02}412428C:\Windows\system32\csrss.exe{F81F30E6-F3BF-62DF-7504-000000006F02}6500C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000276843Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:35.407{F81F30E6-D98A-62DF-2E00-000000006F02}27803956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F81F30E6-F3BF-62DF-7504-000000006F02}6500C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000276842Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:35.408{F81F30E6-F3BF-62DF-7504-000000006F02}6500C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F81F30E6-D97A-62DF-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000053270Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:01:35.152{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=436EA6607C38211854C04672CAF74C03,SHA256=0973402C0CCA60D3ED4DB075D2F6436E69E5620A9E305DECED80510F15FD0BF3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000276841Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:35.348{F81F30E6-D98A-62DF-2900-000000006F02}2592NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f0cc84e036a5373b\channels\health\respondent-20220726120948-108MD5=369DD308E953FB115558C25A87FA7436,SHA256=F8D888C61BEF90997E9DA9024DED7AC04FA2757575784335A529296D09245F18,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000053274Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:01:36.261{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1300-000000007002}760C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053273Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:01:36.261{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1300-000000007002}760C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053272Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:01:36.261{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1300-000000007002}760C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000053271Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:01:36.246{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D75819FC72A5F1F7793651B829E1ADC,SHA256=541B42CB4447EA5B441C3D1034ACBE7510620F9CB3D8376A3588B792FA457642,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000276861Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:36.474{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8915943F61DD46D3D6BEAC42ABAA27FF,SHA256=99527D1C48CD8E88E3BF0B9E514B5A69B9DC635AADDFACD8E7ED08C52ABFB8E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000276860Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:36.360{F81F30E6-D98A-62DF-2900-000000006F02}2592NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f0cc84e036a5373b\channels\health\surveyor-20220726120946-109MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000276859Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:36.075{F81F30E6-D98B-62DF-3600-000000006F02}31323152C:\Windows\system32\conhost.exe{F81F30E6-F3C0-62DF-7604-000000006F02}3296C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276858Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:36.075{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276857Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:36.075{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276856Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:36.075{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276855Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:36.075{F81F30E6-D97A-62DF-0500-000000006F02}412540C:\Windows\system32\csrss.exe{F81F30E6-F3C0-62DF-7604-000000006F02}3296C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000276854Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:36.075{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276853Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:36.075{F81F30E6-D98A-62DF-2E00-000000006F02}27803956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F81F30E6-F3C0-62DF-7604-000000006F02}3296C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000276852Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:36.075{F81F30E6-F3C0-62DF-7604-000000006F02}3296C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F81F30E6-D97A-62DF-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000053275Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:01:37.340{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0CAE280C87914964F2E2A1901C0A3B3E,SHA256=B19CE1667BE1DFEB4F0554DAE590503B261F0C0F38E4F4109CD67FD75AB2DD56,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000276871Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:37.889{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276870Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:37.889{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276869Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:37.889{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276868Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:37.889{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276867Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:37.889{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276866Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:37.889{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276865Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:37.889{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276864Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:37.889{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000276863Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:37.605{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A14201F468DBA4C5E2342AE9C4C39ED1,SHA256=5C596C0BCA9E66458C0C33536F45418589C570D392177A990E4240ADA7541B6C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000276862Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:34.087{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local64955-false10.0.1.12-8000- 23542300x8000000000000000276872Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:38.642{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2834AF453B6590889F3CF2E6F2A11150,SHA256=B2E4719CE0A66FE37A2B1DDB8873E2D4D964C9CF3835221762060F92B7AA2900,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053276Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:01:38.433{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1A87E2BDA7813CE6343CBD844DA3564,SHA256=6BC2A88916BA8E2B5CF871434B4B2AFFF3A52F78EF8DD42F6F2ED457C0DA158E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053278Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:01:39.527{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19DB2128A1FF3567C5A8AEABD4A5BCDE,SHA256=7C60D95E653C8BF776E673FAD1301AB78A0FB8730F3AADD0B8BEDFD851301E59,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000277075Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.991{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-7D04-000000006F02}7108C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277074Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.991{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-7D04-000000006F02}7108C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277073Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.991{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-7D04-000000006F02}7108C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277072Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.991{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3C3-62DF-8204-000000006F02}8040C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277071Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.991{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-7D04-000000006F02}7108C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277070Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.985{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F3C3-62DF-8704-000000006F02}8136C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277069Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.985{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F3C3-62DF-8704-000000006F02}8136C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277068Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.943{F81F30E6-F3C3-62DF-8704-000000006F02}81362408C:\Windows\system32\conhost.exe{F81F30E6-F3C3-62DF-8604-000000006F02}1924C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277067Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.927{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277066Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.927{F81F30E6-D9BA-62DF-8100-000000006F02}38884056C:\Windows\system32\csrss.exe{F81F30E6-F3C3-62DF-8804-000000006F02}3460C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000277065Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.927{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277064Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.927{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277063Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.927{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277062Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.927{F81F30E6-F3C3-62DF-7E04-000000006F02}69884576C:\Windows\system32\cmd.exe{F81F30E6-F3C3-62DF-8804-000000006F02}3460C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8564|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000277061Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.932{F81F30E6-F3C3-62DF-8804-000000006F02}3460C:\Windows\System32\notepad.exe10.0.14393.4169 (rs1_release.210107-1130)NotepadMicrosoft® Windows® Operating SystemMicrosoft CorporationNOTEPAD.EXEnotepad.exe C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=BA78FCF8CA9D806C6C047357E31748DE,SHA256=34A07759492E31AEC2A009505FE8DFB50242375C4308AD4657B2872F4F75A077,IMPHASH=968239BE2020F1C0DAFFDCDBD49E9C82{F81F30E6-F3C3-62DF-7E04-000000006F02}6988C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" " 10341000x8000000000000000277060Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.927{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3C3-62DF-8804-000000006F02}3460C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277059Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.927{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-7D04-000000006F02}7108C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277058Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.927{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-7D04-000000006F02}7108C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277057Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.927{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-7D04-000000006F02}7108C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277056Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.927{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-7D04-000000006F02}7108C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277055Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.905{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3C3-62DF-8204-000000006F02}8040C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277054Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.905{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F3C3-62DF-8504-000000006F02}8160C:\Windows\system32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277053Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.905{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F3C3-62DF-8504-000000006F02}8160C:\Windows\system32\notepad.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277052Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.905{F81F30E6-D9BA-62DF-8100-000000006F02}38884056C:\Windows\system32\csrss.exe{F81F30E6-F3C3-62DF-8704-000000006F02}8136C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000277051Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.905{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3C3-62DF-8704-000000006F02}8136C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277050Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.889{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277049Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.889{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277048Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.889{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277047Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.889{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277046Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.889{F81F30E6-D9BA-62DF-8100-000000006F02}38884056C:\Windows\system32\csrss.exe{F81F30E6-F3C3-62DF-8604-000000006F02}1924C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000277045Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.889{F81F30E6-F163-62DF-1F04-000000006F02}22646864C:\Temp\dcrat.exe{F81F30E6-F3C3-62DF-8604-000000006F02}1924C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\System32\windows.storage.dll+16e7eb|C:\Windows\System32\windows.storage.dll+16e501|C:\Windows\System32\windows.storage.dll+16e14e|C:\Windows\System32\windows.storage.dll+16f3f0|C:\Windows\System32\windows.storage.dll+16de9e|C:\Windows\System32\windows.storage.dll+fce6d|C:\Windows\System32\windows.storage.dll+fd5ac|C:\Windows\System32\windows.storage.dll+fc910|C:\Windows\System32\shell32.dll+49cdf|C:\Windows\System32\shell32.dll+49b6c|C:\Windows\System32\shell32.dll+498bc|C:\Windows\System32\shell32.dll+10d2c7|C:\Windows\System32\shell32.dll+10d225|UNKNOWN(00007FF984B29B5F) 154100x8000000000000000277044Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.901{F81F30E6-F3C3-62DF-8604-000000006F02}1924C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" "C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe"C:\Temp\dcrat.exe" 10341000x8000000000000000277043Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.889{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3C3-62DF-8604-000000006F02}1924C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277042Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.889{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-8104-000000006F02}7852C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277041Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.889{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-8104-000000006F02}7852C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277040Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.889{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-8104-000000006F02}7852C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277039Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.889{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-8104-000000006F02}7852C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277038Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.889{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-8104-000000006F02}7852C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277037Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.874{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F3C3-62DF-8404-000000006F02}7396C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277036Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.874{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F3C3-62DF-8404-000000006F02}7396C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277035Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.874{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-8204-000000006F02}8040C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277034Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.874{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-8204-000000006F02}8040C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277033Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.874{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-8204-000000006F02}8040C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277032Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.874{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-8204-000000006F02}8040C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277031Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.874{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277030Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.874{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277029Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.874{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277028Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.874{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277027Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.874{F81F30E6-D9BA-62DF-8100-000000006F02}38884516C:\Windows\system32\csrss.exe{F81F30E6-F3C3-62DF-8504-000000006F02}8160C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000277026Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.874{F81F30E6-F3C3-62DF-7B04-000000006F02}77842404C:\Windows\system32\cmd.exe{F81F30E6-F3C3-62DF-8504-000000006F02}8160C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8564|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000277025Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.882{F81F30E6-F3C3-62DF-8504-000000006F02}8160C:\Windows\System32\notepad.exe10.0.14393.4169 (rs1_release.210107-1130)NotepadMicrosoft® Windows® Operating SystemMicrosoft CorporationNOTEPAD.EXEnotepad.exe C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=BA78FCF8CA9D806C6C047357E31748DE,SHA256=34A07759492E31AEC2A009505FE8DFB50242375C4308AD4657B2872F4F75A077,IMPHASH=968239BE2020F1C0DAFFDCDBD49E9C82{F81F30E6-F3C3-62DF-7B04-000000006F02}7784C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" " 10341000x8000000000000000277024Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.874{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3C3-62DF-8504-000000006F02}8160C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277023Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.874{F81F30E6-F3C3-62DF-8404-000000006F02}73963224C:\Windows\system32\conhost.exe{F81F30E6-F3C3-62DF-8304-000000006F02}4072C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277022Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.858{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-7E04-000000006F02}6988C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277021Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.858{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-7E04-000000006F02}6988C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277020Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.858{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-7E04-000000006F02}6988C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277019Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.858{F81F30E6-D9BA-62DF-8100-000000006F02}38884056C:\Windows\system32\csrss.exe{F81F30E6-F3C3-62DF-8404-000000006F02}7396C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000277018Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.858{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3C3-62DF-8404-000000006F02}7396C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277017Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.858{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277016Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.858{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277015Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.858{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277014Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.858{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277013Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.858{F81F30E6-D9BA-62DF-8100-000000006F02}38884516C:\Windows\system32\csrss.exe{F81F30E6-F3C3-62DF-8304-000000006F02}4072C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000277012Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.858{F81F30E6-F163-62DF-1F04-000000006F02}22644128C:\Temp\dcrat.exe{F81F30E6-F3C3-62DF-8304-000000006F02}4072C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\System32\windows.storage.dll+16e7eb|C:\Windows\System32\windows.storage.dll+16e501|C:\Windows\System32\windows.storage.dll+16e14e|C:\Windows\System32\windows.storage.dll+16f3f0|C:\Windows\System32\windows.storage.dll+16de9e|C:\Windows\System32\windows.storage.dll+fce6d|C:\Windows\System32\windows.storage.dll+fd5ac|C:\Windows\System32\windows.storage.dll+fc910|C:\Windows\System32\shell32.dll+49cdf|C:\Windows\System32\shell32.dll+49b6c|C:\Windows\System32\shell32.dll+498bc|C:\Windows\System32\shell32.dll+10d2c7|C:\Windows\System32\shell32.dll+10d225|UNKNOWN(00007FF984B29B5F) 154100x8000000000000000277011Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.862{F81F30E6-F3C3-62DF-8304-000000006F02}4072C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" "C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe"C:\Temp\dcrat.exe" 10341000x8000000000000000277010Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.858{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3C3-62DF-8304-000000006F02}4072C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277009Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.858{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3C3-62DF-7F04-000000006F02}4252C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277008Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.858{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-F3C3-62DF-8004-000000006F02}3756C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277007Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.842{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3C3-62DF-7F04-000000006F02}4252C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277006Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.842{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-7E04-000000006F02}6988C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277005Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.827{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F3C3-62DF-8204-000000006F02}8040C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277004Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.827{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F3C3-62DF-8204-000000006F02}8040C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277003Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.827{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-F3C3-62DF-7D04-000000006F02}7108C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277002Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.827{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-7E04-000000006F02}6988C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277001Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.827{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-7E04-000000006F02}6988C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277000Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.827{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-7E04-000000006F02}6988C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276999Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.827{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-7E04-000000006F02}6988C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276998Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.827{F81F30E6-F3C3-62DF-8204-000000006F02}8040436C:\Windows\system32\conhost.exe{F81F30E6-F3C3-62DF-8104-000000006F02}7852C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276997Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.824{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-7F04-000000006F02}4252C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276996Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.824{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-7F04-000000006F02}4252C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276995Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.822{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-7F04-000000006F02}4252C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276994Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.822{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-7F04-000000006F02}4252C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276993Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.804{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3C3-62DF-7C04-000000006F02}6272C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276992Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.804{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3C3-62DF-7C04-000000006F02}6272C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276991Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.804{F81F30E6-D9BA-62DF-8100-000000006F02}38882172C:\Windows\system32\csrss.exe{F81F30E6-F3C3-62DF-8204-000000006F02}8040C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000276990Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.804{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3C3-62DF-8204-000000006F02}8040C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276989Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.788{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276988Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.788{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276987Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.788{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276986Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.788{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276985Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.788{F81F30E6-D9BA-62DF-8100-000000006F02}38884056C:\Windows\system32\csrss.exe{F81F30E6-F3C3-62DF-8104-000000006F02}7852C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000276984Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.788{F81F30E6-F163-62DF-1F04-000000006F02}22647084C:\Temp\dcrat.exe{F81F30E6-F3C3-62DF-8104-000000006F02}7852C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\System32\windows.storage.dll+16e7eb|C:\Windows\System32\windows.storage.dll+16e501|C:\Windows\System32\windows.storage.dll+16e14e|C:\Windows\System32\windows.storage.dll+16f3f0|C:\Windows\System32\windows.storage.dll+16de9e|C:\Windows\System32\windows.storage.dll+fce6d|C:\Windows\System32\windows.storage.dll+fd5ac|C:\Windows\System32\windows.storage.dll+fc910|C:\Windows\System32\shell32.dll+49cdf|C:\Windows\System32\shell32.dll+49b6c|C:\Windows\System32\shell32.dll+498bc|C:\Windows\System32\shell32.dll+10d2c7|C:\Windows\System32\shell32.dll+10d225|UNKNOWN(00007FF984B29B5F) 154100x8000000000000000276983Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.795{F81F30E6-F3C3-62DF-8104-000000006F02}7852C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" "C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe"C:\Temp\dcrat.exe" 10341000x8000000000000000276982Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.788{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3C3-62DF-8104-000000006F02}7852C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276981Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.757{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F3C3-62DF-8004-000000006F02}3756C:\Windows\system32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276980Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.757{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F3C3-62DF-8004-000000006F02}3756C:\Windows\system32\notepad.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276979Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.757{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-7B04-000000006F02}7784C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276978Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.757{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-7B04-000000006F02}7784C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276977Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.757{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-7B04-000000006F02}7784C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276976Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.757{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-7B04-000000006F02}7784C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276975Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.757{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-7B04-000000006F02}7784C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276974Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.741{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F3C3-62DF-7F04-000000006F02}4252C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276973Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.741{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F3C3-62DF-7F04-000000006F02}4252C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276972Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.741{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-7C04-000000006F02}6272C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276971Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.741{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-7C04-000000006F02}6272C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276970Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.741{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-7C04-000000006F02}6272C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276969Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.741{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-7C04-000000006F02}6272C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276968Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.726{F81F30E6-F3C3-62DF-7F04-000000006F02}42526716C:\Windows\system32\conhost.exe{F81F30E6-F3C3-62DF-7E04-000000006F02}6988C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276967Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.726{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276966Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.726{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276965Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.726{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276964Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.726{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276963Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.724{F81F30E6-D9BA-62DF-8100-000000006F02}38882172C:\Windows\system32\csrss.exe{F81F30E6-F3C3-62DF-8004-000000006F02}3756C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000276962Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.721{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3C3-62DF-8004-000000006F02}3756C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276961Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.721{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F3C3-62DF-7D04-000000006F02}7108C:\Windows\system32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276960Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.721{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F3C3-62DF-7D04-000000006F02}7108C:\Windows\system32\notepad.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276959Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.721{F81F30E6-F3C3-62DF-7904-000000006F02}74566672C:\Windows\system32\cmd.exe{F81F30E6-F3C3-62DF-8004-000000006F02}3756C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8564|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000276958Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.721{F81F30E6-F3C3-62DF-8004-000000006F02}3756C:\Windows\System32\notepad.exe10.0.14393.4169 (rs1_release.210107-1130)NotepadMicrosoft® Windows® Operating SystemMicrosoft CorporationNOTEPAD.EXEnotepad.exe C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=BA78FCF8CA9D806C6C047357E31748DE,SHA256=34A07759492E31AEC2A009505FE8DFB50242375C4308AD4657B2872F4F75A077,IMPHASH=968239BE2020F1C0DAFFDCDBD49E9C82{F81F30E6-F3C3-62DF-7904-000000006F02}7456C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" " 10341000x8000000000000000276957Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.704{F81F30E6-D9BA-62DF-8100-000000006F02}38884056C:\Windows\system32\csrss.exe{F81F30E6-F3C3-62DF-7F04-000000006F02}4252C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000276956Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.704{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3C3-62DF-7F04-000000006F02}4252C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276955Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.704{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276954Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.704{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276953Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.704{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276952Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.704{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276951Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.704{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3C3-62DF-7E04-000000006F02}6988C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276950Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.704{F81F30E6-D9BA-62DF-8100-000000006F02}38882172C:\Windows\system32\csrss.exe{F81F30E6-F3C3-62DF-7E04-000000006F02}6988C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000276949Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.704{F81F30E6-F163-62DF-1F04-000000006F02}22644664C:\Temp\dcrat.exe{F81F30E6-F3C3-62DF-7E04-000000006F02}6988C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\System32\windows.storage.dll+16e7eb|C:\Windows\System32\windows.storage.dll+16e501|C:\Windows\System32\windows.storage.dll+16e14e|C:\Windows\System32\windows.storage.dll+16f3f0|C:\Windows\System32\windows.storage.dll+16de9e|C:\Windows\System32\windows.storage.dll+fce6d|C:\Windows\System32\windows.storage.dll+fd5ac|C:\Windows\System32\windows.storage.dll+fc910|C:\Windows\System32\shell32.dll+49cdf|C:\Windows\System32\shell32.dll+49b6c|C:\Windows\System32\shell32.dll+498bc|C:\Windows\System32\shell32.dll+10d2c7|C:\Windows\System32\shell32.dll+10d225|UNKNOWN(00007FF984B29B5F) 154100x8000000000000000276948Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.712{F81F30E6-F3C3-62DF-7E04-000000006F02}6988C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" "C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe"C:\Temp\dcrat.exe" 10341000x8000000000000000276947Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.689{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F3C3-62DF-7C04-000000006F02}6272C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276946Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.689{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F3C3-62DF-7C04-000000006F02}6272C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276945Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.689{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-7904-000000006F02}7456C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276944Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.689{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-7904-000000006F02}7456C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276943Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.689{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-7904-000000006F02}7456C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276942Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.689{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3C3-62DF-7A04-000000006F02}1152C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276941Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.689{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276940Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.689{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276939Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.689{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3C3-62DF-7D04-000000006F02}7108C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276938Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.689{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276937Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.689{F81F30E6-D9BA-62DF-8100-000000006F02}38882172C:\Windows\system32\csrss.exe{F81F30E6-F3C3-62DF-7D04-000000006F02}7108C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000276936Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.689{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3C3-62DF-7A04-000000006F02}1152C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276935Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.689{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276934Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.689{F81F30E6-F3C3-62DF-7704-000000006F02}48086368C:\Windows\system32\cmd.exe{F81F30E6-F3C3-62DF-7D04-000000006F02}7108C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8564|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000276933Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.697{F81F30E6-F3C3-62DF-7D04-000000006F02}7108C:\Windows\System32\notepad.exe10.0.14393.4169 (rs1_release.210107-1130)NotepadMicrosoft® Windows® Operating SystemMicrosoft CorporationNOTEPAD.EXEnotepad.exe C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=BA78FCF8CA9D806C6C047357E31748DE,SHA256=34A07759492E31AEC2A009505FE8DFB50242375C4308AD4657B2872F4F75A077,IMPHASH=968239BE2020F1C0DAFFDCDBD49E9C82{F81F30E6-F3C3-62DF-7704-000000006F02}4808C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" " 10341000x8000000000000000276932Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.689{F81F30E6-F3C3-62DF-7C04-000000006F02}62724240C:\Windows\system32\conhost.exe{F81F30E6-F3C3-62DF-7B04-000000006F02}7784C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276931Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.673{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-7904-000000006F02}7456C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276930Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.673{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-7904-000000006F02}7456C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276929Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.673{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-7904-000000006F02}7456C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276928Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.673{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-7904-000000006F02}7456C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276927Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.673{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-7904-000000006F02}7456C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276926Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.673{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-7A04-000000006F02}1152C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276925Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.673{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-7A04-000000006F02}1152C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276924Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.673{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-7A04-000000006F02}1152C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276923Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.673{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-7A04-000000006F02}1152C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276922Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.673{F81F30E6-D9BA-62DF-8100-000000006F02}38882172C:\Windows\system32\csrss.exe{F81F30E6-F3C3-62DF-7C04-000000006F02}6272C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000276921Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.673{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3C3-62DF-7C04-000000006F02}6272C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276920Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.673{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276919Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.673{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276918Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.673{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276917Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.673{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276916Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.673{F81F30E6-D9BA-62DF-8100-000000006F02}38882172C:\Windows\system32\csrss.exe{F81F30E6-F3C3-62DF-7B04-000000006F02}7784C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000276915Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.673{F81F30E6-F163-62DF-1F04-000000006F02}2264536C:\Temp\dcrat.exe{F81F30E6-F3C3-62DF-7B04-000000006F02}7784C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\System32\windows.storage.dll+16e7eb|C:\Windows\System32\windows.storage.dll+16e501|C:\Windows\System32\windows.storage.dll+16e14e|C:\Windows\System32\windows.storage.dll+16f3f0|C:\Windows\System32\windows.storage.dll+16de9e|C:\Windows\System32\windows.storage.dll+fce6d|C:\Windows\System32\windows.storage.dll+fd5ac|C:\Windows\System32\windows.storage.dll+fc910|C:\Windows\System32\shell32.dll+49cdf|C:\Windows\System32\shell32.dll+49b6c|C:\Windows\System32\shell32.dll+498bc|C:\Windows\System32\shell32.dll+10d2c7|C:\Windows\System32\shell32.dll+10d225|UNKNOWN(00007FF984B29B5F) 154100x8000000000000000276914Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.674{F81F30E6-F3C3-62DF-7B04-000000006F02}7784C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" "C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe"C:\Temp\dcrat.exe" 10341000x8000000000000000276913Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.673{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3C3-62DF-7B04-000000006F02}7784C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276912Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.657{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-7704-000000006F02}4808C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276911Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.657{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-7704-000000006F02}4808C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276910Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.657{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-7704-000000006F02}4808C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276909Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.657{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3C3-62DF-7804-000000006F02}4116C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276908Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.657{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3C3-62DF-7804-000000006F02}4116C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276907Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.657{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F3C3-62DF-7A04-000000006F02}1152C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276906Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.657{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F3C3-62DF-7A04-000000006F02}1152C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276905Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.657{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-7704-000000006F02}4808C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276904Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.657{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-7704-000000006F02}4808C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276903Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.657{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-7704-000000006F02}4808C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276902Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.657{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-7704-000000006F02}4808C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276901Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.657{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-7704-000000006F02}4808C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276900Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.642{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-7804-000000006F02}4116C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276899Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.642{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-7804-000000006F02}4116C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276898Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.642{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-7804-000000006F02}4116C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276897Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.642{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-7804-000000006F02}4116C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276896Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.642{F81F30E6-F3C3-62DF-7A04-000000006F02}11524952C:\Windows\system32\conhost.exe{F81F30E6-F3C3-62DF-7904-000000006F02}7456C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276895Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.642{F81F30E6-D9BA-62DF-8100-000000006F02}38882172C:\Windows\system32\csrss.exe{F81F30E6-F3C3-62DF-7A04-000000006F02}1152C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000276894Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.626{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3C3-62DF-7A04-000000006F02}1152C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276893Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.626{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276892Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.626{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276891Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.626{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276890Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.626{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276889Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.626{F81F30E6-D9BA-62DF-8100-000000006F02}38884516C:\Windows\system32\csrss.exe{F81F30E6-F3C3-62DF-7904-000000006F02}7456C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000276888Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.626{F81F30E6-F163-62DF-1F04-000000006F02}22644804C:\Temp\dcrat.exe{F81F30E6-F3C3-62DF-7904-000000006F02}7456C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\System32\windows.storage.dll+16e7eb|C:\Windows\System32\windows.storage.dll+16e501|C:\Windows\System32\windows.storage.dll+16e14e|C:\Windows\System32\windows.storage.dll+16f3f0|C:\Windows\System32\windows.storage.dll+16de9e|C:\Windows\System32\windows.storage.dll+fce6d|C:\Windows\System32\windows.storage.dll+fd5ac|C:\Windows\System32\windows.storage.dll+fc910|C:\Windows\System32\shell32.dll+49cdf|C:\Windows\System32\shell32.dll+49b6c|C:\Windows\System32\shell32.dll+498bc|C:\Windows\System32\shell32.dll+10d2c7|C:\Windows\System32\shell32.dll+10d225|UNKNOWN(00007FF984B29B5F) 154100x8000000000000000276887Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.638{F81F30E6-F3C3-62DF-7904-000000006F02}7456C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" "C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe"C:\Temp\dcrat.exe" 10341000x8000000000000000276886Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.626{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F3C3-62DF-7804-000000006F02}4116C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276885Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.626{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F3C3-62DF-7804-000000006F02}4116C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276884Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.626{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3C3-62DF-7904-000000006F02}7456C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276883Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.626{F81F30E6-F3C3-62DF-7804-000000006F02}41166396C:\Windows\system32\conhost.exe{F81F30E6-F3C3-62DF-7704-000000006F02}4808C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276882Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.604{F81F30E6-D9BA-62DF-8100-000000006F02}38882172C:\Windows\system32\csrss.exe{F81F30E6-F3C3-62DF-7804-000000006F02}4116C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000276881Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.604{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3C3-62DF-7804-000000006F02}4116C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276880Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.589{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276879Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.589{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276878Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.589{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276877Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.589{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276876Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.589{F81F30E6-D9BA-62DF-8100-000000006F02}38884516C:\Windows\system32\csrss.exe{F81F30E6-F3C3-62DF-7704-000000006F02}4808C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000276875Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.589{F81F30E6-F163-62DF-1F04-000000006F02}22641576C:\Temp\dcrat.exe{F81F30E6-F3C3-62DF-7704-000000006F02}4808C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\System32\windows.storage.dll+16e7eb|C:\Windows\System32\windows.storage.dll+16e501|C:\Windows\System32\windows.storage.dll+16e14e|C:\Windows\System32\windows.storage.dll+16f3f0|C:\Windows\System32\windows.storage.dll+16de9e|C:\Windows\System32\windows.storage.dll+fce6d|C:\Windows\System32\windows.storage.dll+fd5ac|C:\Windows\System32\windows.storage.dll+fc910|C:\Windows\System32\shell32.dll+49cdf|C:\Windows\System32\shell32.dll+49b6c|C:\Windows\System32\shell32.dll+498bc|C:\Windows\System32\shell32.dll+10d2c7|C:\Windows\System32\shell32.dll+10d225|UNKNOWN(00007FF984B29B5F) 154100x8000000000000000276874Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.601{F81F30E6-F3C3-62DF-7704-000000006F02}4808C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" "C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe"C:\Temp\dcrat.exe" 10341000x8000000000000000276873Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.589{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3C3-62DF-7704-000000006F02}4808C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000053277Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:01:37.286{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal51024-false10.0.1.12-8000- 23542300x800000000000000053279Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:01:40.621{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2514B8937F8A2C82A01472ECC2A570BC,SHA256=153DCF9013834F3E7D39790BBE1A7747FE8D037946C747DC267951FBD1B98CA7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000277270Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.727{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D7DF994EC3E80261AC2A1F5BEBA1986,SHA256=AC99A09CAD4A316A5DEF878F3811BCEB139CA4796015DFC9177730D82CEEAAAA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000277269Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.643{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9977CE023B7A6B32BEA6374AA6BF6ACF,SHA256=E1D947DA954435FD2DEBCFBF555ED4F3C7B4989650A96B53896D78007C27F162,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000277268Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.643{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=028341CDFD6DD76ED7EFFD38B58FD10A,SHA256=C621F27787B5B40744FEE9A167B333164A0ED33D1170C03DE718F97D1865CF67,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000277267Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.589{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3C4-62DF-8E04-000000006F02}1860C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277266Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.589{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3C4-62DF-8E04-000000006F02}1860C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277265Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.589{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3C4-62DF-8E04-000000006F02}1860C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277264Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.574{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3C4-62DF-8E04-000000006F02}1860C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277263Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.558{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3C4-62DF-8E04-000000006F02}1860C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277262Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.558{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-F3C4-62DF-8E04-000000006F02}1860C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277261Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.558{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3C4-62DF-8E04-000000006F02}1860C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277260Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.558{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3C4-62DF-8E04-000000006F02}1860C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277259Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.558{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3C4-62DF-8E04-000000006F02}1860C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277258Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.558{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3C4-62DF-8E04-000000006F02}1860C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277257Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.543{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3C4-62DF-8E04-000000006F02}1860C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277256Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.543{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3C4-62DF-8E04-000000006F02}1860C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277255Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.543{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3C4-62DF-8E04-000000006F02}1860C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277254Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.543{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3C4-62DF-8E04-000000006F02}1860C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277253Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.543{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3C4-62DF-8D04-000000006F02}4636C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000277252Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.543{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F23349B59B789BFACC43446BE0713F1B,SHA256=FF72A52A87F61E963233B30CEFC23FED3DB9397FD772CCFC3D9E859CA2F2C0D0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000277251Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.527{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3C4-62DF-8D04-000000006F02}4636C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277250Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.527{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-F3C4-62DF-8D04-000000006F02}4636C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277249Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.527{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3C4-62DF-8D04-000000006F02}4636C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277248Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.527{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3C4-62DF-8D04-000000006F02}4636C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277247Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.527{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3C4-62DF-8D04-000000006F02}4636C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277246Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.527{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3C4-62DF-8D04-000000006F02}4636C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277245Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.525{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3C4-62DF-8D04-000000006F02}4636C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277244Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.525{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3C4-62DF-8D04-000000006F02}4636C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277243Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.525{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3C4-62DF-8D04-000000006F02}4636C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277242Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.525{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3C4-62DF-8D04-000000006F02}4636C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277241Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.505{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3C4-62DF-8C04-000000006F02}4352C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277240Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.490{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3C4-62DF-8C04-000000006F02}4352C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277239Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.490{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-F3C4-62DF-8C04-000000006F02}4352C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277238Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.490{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3C4-62DF-8C04-000000006F02}4352C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277237Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.490{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3C4-62DF-8C04-000000006F02}4352C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277236Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.490{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3C4-62DF-8C04-000000006F02}4352C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277235Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.490{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3C4-62DF-8C04-000000006F02}4352C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277234Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.474{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3C4-62DF-8C04-000000006F02}4352C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277233Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.474{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-F3C4-62DF-8E04-000000006F02}1860C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277232Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.474{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3C4-62DF-8C04-000000006F02}4352C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277231Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.474{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3C4-62DF-8C04-000000006F02}4352C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277230Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.474{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3C4-62DF-8C04-000000006F02}4352C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277229Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.474{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3C4-62DF-8B04-000000006F02}7088C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277228Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.458{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3C4-62DF-8B04-000000006F02}7088C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277227Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.443{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-F3C4-62DF-8B04-000000006F02}7088C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277226Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.443{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3C4-62DF-8B04-000000006F02}7088C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277225Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.443{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3C4-62DF-8B04-000000006F02}7088C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277224Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.443{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3C4-62DF-8B04-000000006F02}7088C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277223Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.443{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3C4-62DF-8B04-000000006F02}7088C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277222Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.443{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-F3C4-62DF-8D04-000000006F02}4636C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277221Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.443{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3C4-62DF-8B04-000000006F02}7088C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277220Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.443{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3C4-62DF-8B04-000000006F02}7088C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277219Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.443{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3C4-62DF-8B04-000000006F02}7088C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277218Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.443{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3C4-62DF-8B04-000000006F02}7088C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277217Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.427{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-8804-000000006F02}3460C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277216Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.427{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-8804-000000006F02}3460C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277215Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.427{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-8804-000000006F02}3460C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277214Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.421{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F3C4-62DF-8E04-000000006F02}1860C:\Windows\system32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277213Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.405{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F3C4-62DF-8E04-000000006F02}1860C:\Windows\system32\notepad.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277212Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.405{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-8804-000000006F02}3460C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277211Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.390{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3C3-62DF-8804-000000006F02}3460C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277210Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.390{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-8804-000000006F02}3460C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277209Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.390{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-8804-000000006F02}3460C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277208Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.390{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-8804-000000006F02}3460C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277207Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.390{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-8804-000000006F02}3460C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277206Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.390{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277205Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.390{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277204Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.390{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277203Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.390{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277202Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.390{F81F30E6-D9BA-62DF-8100-000000006F02}38884056C:\Windows\system32\csrss.exe{F81F30E6-F3C4-62DF-8E04-000000006F02}1860C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000277201Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.390{F81F30E6-F3C4-62DF-8904-000000006F02}41648112C:\Windows\system32\cmd.exe{F81F30E6-F3C4-62DF-8E04-000000006F02}1860C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8564|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000277200Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.398{F81F30E6-F3C4-62DF-8E04-000000006F02}1860C:\Windows\System32\notepad.exe10.0.14393.4169 (rs1_release.210107-1130)NotepadMicrosoft® Windows® Operating SystemMicrosoft CorporationNOTEPAD.EXEnotepad.exe C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=BA78FCF8CA9D806C6C047357E31748DE,SHA256=34A07759492E31AEC2A009505FE8DFB50242375C4308AD4657B2872F4F75A077,IMPHASH=968239BE2020F1C0DAFFDCDBD49E9C82{F81F30E6-F3C4-62DF-8904-000000006F02}4164C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" " 10341000x8000000000000000277199Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.390{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3C4-62DF-8E04-000000006F02}1860C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277198Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.390{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-F3C4-62DF-8C04-000000006F02}4352C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277197Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.390{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3C3-62DF-8804-000000006F02}3460C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277196Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.374{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F3C4-62DF-8D04-000000006F02}4636C:\Windows\system32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277195Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.374{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F3C4-62DF-8D04-000000006F02}4636C:\Windows\system32\notepad.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277194Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.374{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3C3-62DF-8504-000000006F02}8160C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277193Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.374{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-8504-000000006F02}8160C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277192Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.359{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-8804-000000006F02}3460C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277191Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.359{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-8804-000000006F02}3460C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277190Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.359{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-8804-000000006F02}3460C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277189Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.359{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-8804-000000006F02}3460C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277188Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.359{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-8504-000000006F02}8160C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277187Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.359{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277186Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.359{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-8504-000000006F02}8160C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277185Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.359{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277184Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.359{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-8504-000000006F02}8160C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277183Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.359{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277182Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.359{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277181Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.359{F81F30E6-D9BA-62DF-8100-000000006F02}38882172C:\Windows\system32\csrss.exe{F81F30E6-F3C4-62DF-8D04-000000006F02}4636C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000277180Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.359{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-8504-000000006F02}8160C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277179Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.359{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3C3-62DF-8504-000000006F02}8160C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277178Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.359{F81F30E6-F3C3-62DF-8604-000000006F02}19247832C:\Windows\system32\cmd.exe{F81F30E6-F3C4-62DF-8D04-000000006F02}4636C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8564|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000277177Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.364{F81F30E6-F3C4-62DF-8D04-000000006F02}4636C:\Windows\System32\notepad.exe10.0.14393.4169 (rs1_release.210107-1130)NotepadMicrosoft® Windows® Operating SystemMicrosoft CorporationNOTEPAD.EXEnotepad.exe C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=BA78FCF8CA9D806C6C047357E31748DE,SHA256=34A07759492E31AEC2A009505FE8DFB50242375C4308AD4657B2872F4F75A077,IMPHASH=968239BE2020F1C0DAFFDCDBD49E9C82{F81F30E6-F3C3-62DF-8604-000000006F02}1924C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" " 10341000x8000000000000000277176Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.359{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3C4-62DF-8D04-000000006F02}4636C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277175Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.343{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277174Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.343{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277173Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.343{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277172Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.343{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277171Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.343{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-F3C4-62DF-8B04-000000006F02}7088C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277170Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.327{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-8504-000000006F02}8160C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277169Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.327{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-8504-000000006F02}8160C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277168Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.327{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-8504-000000006F02}8160C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277167Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.327{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-8504-000000006F02}8160C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277166Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.327{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3C4-62DF-8A04-000000006F02}8028C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277165Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.326{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F3C4-62DF-8C04-000000006F02}4352C:\Windows\system32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277164Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.326{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F3C4-62DF-8C04-000000006F02}4352C:\Windows\system32\notepad.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000277163Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.323{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB24BC7956B7CCA04D1F8AFD5E6CEECE,SHA256=F53D431F43CA879A20FC74F0A36625B65FA29AB627CCB5128FE5D0BBB8211F39,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000277162Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.259{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3C4-62DF-8A04-000000006F02}8028C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277161Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.259{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-F3C4-62DF-8904-000000006F02}4164C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277160Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.227{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277159Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.227{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277158Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.227{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277157Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.227{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277156Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.227{F81F30E6-D9BA-62DF-8100-000000006F02}38884056C:\Windows\system32\csrss.exe{F81F30E6-F3C4-62DF-8C04-000000006F02}4352C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000277155Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.227{F81F30E6-F3C3-62DF-8304-000000006F02}40725480C:\Windows\system32\cmd.exe{F81F30E6-F3C4-62DF-8C04-000000006F02}4352C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8564|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000277154Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.228{F81F30E6-F3C4-62DF-8C04-000000006F02}4352C:\Windows\System32\notepad.exe10.0.14393.4169 (rs1_release.210107-1130)NotepadMicrosoft® Windows® Operating SystemMicrosoft CorporationNOTEPAD.EXEnotepad.exe C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=BA78FCF8CA9D806C6C047357E31748DE,SHA256=34A07759492E31AEC2A009505FE8DFB50242375C4308AD4657B2872F4F75A077,IMPHASH=968239BE2020F1C0DAFFDCDBD49E9C82{F81F30E6-F3C3-62DF-8304-000000006F02}4072C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" " 10341000x8000000000000000277153Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.227{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3C4-62DF-8C04-000000006F02}4352C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277152Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.225{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277151Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.224{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277150Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.224{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277149Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.224{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277148Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.174{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3C4-62DF-8904-000000006F02}4164C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277147Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.174{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3C4-62DF-8904-000000006F02}4164C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277146Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.174{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3C4-62DF-8904-000000006F02}4164C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277145Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.159{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3C4-62DF-8904-000000006F02}4164C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277144Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.127{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3C3-62DF-8704-000000006F02}8136C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277143Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.127{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-8604-000000006F02}1924C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277142Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.124{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3C4-62DF-8A04-000000006F02}8028C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277141Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.124{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3C4-62DF-8A04-000000006F02}8028C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277140Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.123{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3C4-62DF-8A04-000000006F02}8028C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277139Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.123{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3C4-62DF-8A04-000000006F02}8028C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277138Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.106{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F3C4-62DF-8B04-000000006F02}7088C:\Windows\system32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277137Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.106{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F3C4-62DF-8B04-000000006F02}7088C:\Windows\system32\notepad.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000277136Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.106{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BBB73A999A580F33212303ABE7845EE9,SHA256=66FE90707F53363E825D80658AC77A2ADCFD8F270829AD7A702C234C7482F118,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000277135Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.090{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3C3-62DF-8704-000000006F02}8136C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277134Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.090{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-8604-000000006F02}1924C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277133Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.090{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-8604-000000006F02}1924C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277132Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.090{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-8604-000000006F02}1924C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277131Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.090{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-8604-000000006F02}1924C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277130Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.090{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-F3C3-62DF-8804-000000006F02}3460C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000277129Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.074{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=983FEEAB3BB369870DC33052D478EF11,SHA256=1083874963DF99C9A4D993C3FB5D59A11366F85CF079B401067244D071DB2A5A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000277128Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.074{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277127Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.074{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277126Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.074{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277125Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.074{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277124Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.074{F81F30E6-D9BA-62DF-8100-000000006F02}38884516C:\Windows\system32\csrss.exe{F81F30E6-F3C4-62DF-8B04-000000006F02}7088C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000277123Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.074{F81F30E6-F3C3-62DF-8104-000000006F02}78524020C:\Windows\system32\cmd.exe{F81F30E6-F3C4-62DF-8B04-000000006F02}7088C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8564|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000277122Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.075{F81F30E6-F3C4-62DF-8B04-000000006F02}7088C:\Windows\System32\notepad.exe10.0.14393.4169 (rs1_release.210107-1130)NotepadMicrosoft® Windows® Operating SystemMicrosoft CorporationNOTEPAD.EXEnotepad.exe C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=BA78FCF8CA9D806C6C047357E31748DE,SHA256=34A07759492E31AEC2A009505FE8DFB50242375C4308AD4657B2872F4F75A077,IMPHASH=968239BE2020F1C0DAFFDCDBD49E9C82{F81F30E6-F3C3-62DF-8104-000000006F02}7852C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" " 10341000x8000000000000000277121Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.074{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3C4-62DF-8B04-000000006F02}7088C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277120Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.059{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3C3-62DF-8404-000000006F02}7396C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277119Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.059{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-8704-000000006F02}8136C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277118Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.059{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-8704-000000006F02}8136C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277117Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.059{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-8704-000000006F02}8136C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277116Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.059{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-8704-000000006F02}8136C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277115Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.059{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-8304-000000006F02}4072C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000277114Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.059{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66826BAFC88C8D468840BBA793B9FAF3,SHA256=FA8AAEC9158A2614DCF845C155AC7AB9C2310D639227780FA132ECCEC6B142C2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000277113Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.059{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3C3-62DF-8004-000000006F02}3756C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277112Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.043{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3C3-62DF-8404-000000006F02}7396C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277111Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.043{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-F3C3-62DF-8504-000000006F02}8160C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277110Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.043{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3C3-62DF-8004-000000006F02}3756C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277109Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.043{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F3C4-62DF-8A04-000000006F02}8028C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277108Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.043{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F3C4-62DF-8A04-000000006F02}8028C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277107Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.027{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-8304-000000006F02}4072C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277106Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.027{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-8304-000000006F02}4072C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277105Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.027{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-8304-000000006F02}4072C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277104Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.027{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-8304-000000006F02}4072C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277103Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.027{F81F30E6-F3C4-62DF-8A04-000000006F02}80287972C:\Windows\system32\conhost.exe{F81F30E6-F3C4-62DF-8904-000000006F02}4164C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277102Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.027{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-8004-000000006F02}3756C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277101Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.027{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-8004-000000006F02}3756C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277100Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.027{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-8004-000000006F02}3756C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277099Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.027{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-8004-000000006F02}3756C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277098Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.027{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3C3-62DF-7D04-000000006F02}7108C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277097Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.026{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-8404-000000006F02}7396C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277096Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.025{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-8404-000000006F02}7396C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277095Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.025{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-8404-000000006F02}7396C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277094Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.025{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-8404-000000006F02}7396C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277093Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.005{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-8004-000000006F02}3756C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277092Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.005{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-8004-000000006F02}3756C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277091Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.005{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-8004-000000006F02}3756C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277090Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.005{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-8004-000000006F02}3756C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277089Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.005{F81F30E6-D9BA-62DF-8100-000000006F02}38882172C:\Windows\system32\csrss.exe{F81F30E6-F3C4-62DF-8A04-000000006F02}8028C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000277088Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.005{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3C4-62DF-8A04-000000006F02}8028C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277087Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.005{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3C3-62DF-7D04-000000006F02}7108C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277086Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.005{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277085Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.005{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277084Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.005{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277083Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.005{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277082Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.005{F81F30E6-D9BA-62DF-8100-000000006F02}38884056C:\Windows\system32\csrss.exe{F81F30E6-F3C4-62DF-8904-000000006F02}4164C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000277081Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.005{F81F30E6-F163-62DF-1F04-000000006F02}22648128C:\Temp\dcrat.exe{F81F30E6-F3C4-62DF-8904-000000006F02}4164C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\System32\windows.storage.dll+16e7eb|C:\Windows\System32\windows.storage.dll+16e501|C:\Windows\System32\windows.storage.dll+16e14e|C:\Windows\System32\windows.storage.dll+16f3f0|C:\Windows\System32\windows.storage.dll+16de9e|C:\Windows\System32\windows.storage.dll+fce6d|C:\Windows\System32\windows.storage.dll+fd5ac|C:\Windows\System32\windows.storage.dll+fc910|C:\Windows\System32\shell32.dll+49cdf|C:\Windows\System32\shell32.dll+49b6c|C:\Windows\System32\shell32.dll+498bc|C:\Windows\System32\shell32.dll+10d2c7|C:\Windows\System32\shell32.dll+10d225|UNKNOWN(00007FF984B29B5F) 10341000x8000000000000000277080Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.005{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3C4-62DF-8904-000000006F02}4164C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000277079Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.007{F81F30E6-F3C4-62DF-8904-000000006F02}4164C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" "C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe"C:\Temp\dcrat.exe" 10341000x8000000000000000277078Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.005{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F3C3-62DF-8804-000000006F02}3460C:\Windows\system32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277077Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.005{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F3C3-62DF-8804-000000006F02}3460C:\Windows\system32\notepad.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277076Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.991{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-7D04-000000006F02}7108C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000053280Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:01:41.715{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A1773ED5F1B0358AF42902AA9539DA7,SHA256=32095D5F29398D811EBE67EFA7B6EAD18293F6C8A7BE1CC39462169D6B93C68C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000277273Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:41.773{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05E9FB544CE84846B158C08381CA80A7,SHA256=079A3159870E14ED2268DED2EDEB2C1DCB2811F20C2A9A1936895E281C7E5D52,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000277272Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:41.405{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277271Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:41.405{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000053281Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:01:42.808{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C33AF63AF418F85BC20F03F2B218BC8,SHA256=328479A83200E31168DF136A53F36276F329BA34903FE134703F86707ABCB4C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000277275Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:42.825{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68AC47F653D861F7A9AA5F18B810A3C8,SHA256=36E06C10DA0C428A34D961CADF11DC3CBEE3A29138F2694B0CEB79DCB3586D53,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000277274Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.186{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local64956-false10.0.1.12-8000- 23542300x800000000000000053282Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:01:43.902{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2C13D59989746AD2BFBB216E8B0FE11,SHA256=C7F51C4BF92BD8853A63B1F36E6D45FF77785C67E8D2EEE9A0EC91F109C13724,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000277284Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:43.944{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2ED2A210D8B5061AFFD8000AB9A589C8,SHA256=E719A3CCA336591FF973857E3A929EC8B83A7FA034488B7A2A3531F6C516B1E6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000277283Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:43.272{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277282Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:43.272{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277281Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:43.272{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277280Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:43.272{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277279Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:43.272{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277278Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:43.272{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277277Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:43.272{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277276Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:43.272{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000053284Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:01:44.996{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C865C710AD8BD228A25807BD69C22DA0,SHA256=BEDC9C70686A53A793056C899E46EE528B15D0FF4E400DDF9E77F5B75232A107,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000053283Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:01:42.333{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal51025-false10.0.1.12-8000- 10341000x8000000000000000277344Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:44.725{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3C8-62DF-9104-000000006F02}7728C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277343Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:44.725{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3C8-62DF-9104-000000006F02}7728C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277342Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:44.725{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3C8-62DF-9104-000000006F02}7728C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277341Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:44.706{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3C8-62DF-9104-000000006F02}7728C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277340Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:44.706{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3C8-62DF-9104-000000006F02}7728C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277339Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:44.706{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-F3C8-62DF-9104-000000006F02}7728C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277338Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:44.706{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3C8-62DF-9104-000000006F02}7728C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277337Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:44.706{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3C8-62DF-9104-000000006F02}7728C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277336Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:44.706{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3C8-62DF-9104-000000006F02}7728C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277335Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:44.706{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3C8-62DF-9104-000000006F02}7728C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277334Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:44.706{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3C8-62DF-9104-000000006F02}7728C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277333Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:44.706{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3C8-62DF-9104-000000006F02}7728C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277332Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:44.706{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3C8-62DF-9104-000000006F02}7728C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277331Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:44.706{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3C8-62DF-9104-000000006F02}7728C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277330Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:44.690{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-F3C8-62DF-9104-000000006F02}7728C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277329Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:44.690{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F3C8-62DF-9104-000000006F02}7728C:\Windows\system32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277328Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:44.690{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F3C8-62DF-9104-000000006F02}7728C:\Windows\system32\notepad.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277327Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:44.690{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277326Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:44.690{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277325Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:44.676{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277324Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:44.676{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277323Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:44.676{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277322Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:44.676{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277321Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:44.676{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277320Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:44.676{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277319Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:44.659{F81F30E6-D9BA-62DF-8100-000000006F02}38884516C:\Windows\system32\csrss.exe{F81F30E6-F3C8-62DF-9104-000000006F02}7728C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000277318Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:44.659{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277317Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:44.659{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277316Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:44.659{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277315Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:44.659{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277314Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:44.659{F81F30E6-F3C8-62DF-8F04-000000006F02}66281068C:\Windows\system32\cmd.exe{F81F30E6-F3C8-62DF-9104-000000006F02}7728C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8564|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000277313Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:44.663{F81F30E6-F3C8-62DF-9104-000000006F02}7728C:\Windows\System32\notepad.exe10.0.14393.4169 (rs1_release.210107-1130)NotepadMicrosoft® Windows® Operating SystemMicrosoft CorporationNOTEPAD.EXEnotepad.exe C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=BA78FCF8CA9D806C6C047357E31748DE,SHA256=34A07759492E31AEC2A009505FE8DFB50242375C4308AD4657B2872F4F75A077,IMPHASH=968239BE2020F1C0DAFFDCDBD49E9C82{F81F30E6-F3C8-62DF-8F04-000000006F02}6628C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" " 10341000x8000000000000000277312Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:44.659{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3C8-62DF-9104-000000006F02}7728C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277311Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:44.644{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3C8-62DF-8F04-000000006F02}6628C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277310Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:44.644{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3C8-62DF-8F04-000000006F02}6628C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277309Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:44.644{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3C8-62DF-8F04-000000006F02}6628C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277308Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:44.644{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3C8-62DF-9004-000000006F02}8092C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277307Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:44.644{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3C8-62DF-9004-000000006F02}8092C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277306Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:44.628{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-F3C8-62DF-8F04-000000006F02}6628C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277305Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:44.628{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3C8-62DF-8F04-000000006F02}6628C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277304Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:44.628{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3C8-62DF-8F04-000000006F02}6628C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277303Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:44.628{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3C8-62DF-8F04-000000006F02}6628C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277302Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:44.628{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3C8-62DF-8F04-000000006F02}6628C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277301Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:44.628{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3C8-62DF-9004-000000006F02}8092C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277300Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:44.628{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3C8-62DF-9004-000000006F02}8092C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277299Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:44.628{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3C8-62DF-9004-000000006F02}8092C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277298Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:44.628{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3C8-62DF-9004-000000006F02}8092C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277297Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:44.626{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F3C8-62DF-9004-000000006F02}8092C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277296Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:44.625{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F3C8-62DF-9004-000000006F02}8092C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277295Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:44.606{F81F30E6-F3C8-62DF-9004-000000006F02}80927828C:\Windows\system32\conhost.exe{F81F30E6-F3C8-62DF-8F04-000000006F02}6628C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277294Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:44.606{F81F30E6-D9BA-62DF-8100-000000006F02}38884056C:\Windows\system32\csrss.exe{F81F30E6-F3C8-62DF-9004-000000006F02}8092C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000277293Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:44.606{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3C8-62DF-9004-000000006F02}8092C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277292Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:44.606{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277291Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:44.606{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277290Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:44.606{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277289Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:44.606{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277288Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:44.606{F81F30E6-D9BA-62DF-8100-000000006F02}38884516C:\Windows\system32\csrss.exe{F81F30E6-F3C8-62DF-8F04-000000006F02}6628C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000277287Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:44.606{F81F30E6-F163-62DF-1F04-000000006F02}22648164C:\Temp\dcrat.exe{F81F30E6-F3C8-62DF-8F04-000000006F02}6628C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\System32\windows.storage.dll+16e7eb|C:\Windows\System32\windows.storage.dll+16e501|C:\Windows\System32\windows.storage.dll+16e14e|C:\Windows\System32\windows.storage.dll+16f3f0|C:\Windows\System32\windows.storage.dll+16de9e|C:\Windows\System32\windows.storage.dll+fce6d|C:\Windows\System32\windows.storage.dll+fd5ac|C:\Windows\System32\windows.storage.dll+fc910|C:\Windows\System32\shell32.dll+49cdf|C:\Windows\System32\shell32.dll+49b6c|C:\Windows\System32\shell32.dll+498bc|C:\Windows\System32\shell32.dll+10d2c7|C:\Windows\System32\shell32.dll+10d225|UNKNOWN(00007FF984B29B5F) 154100x8000000000000000277286Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:44.608{F81F30E6-F3C8-62DF-8F04-000000006F02}6628C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" "C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe"C:\Temp\dcrat.exe" 10341000x8000000000000000277285Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:44.606{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3C8-62DF-8F04-000000006F02}6628C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000277347Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:45.674{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=34AB882CF35614A72C7836F1FCF1EE3A,SHA256=0B57A41614863CC7FEBD27CB5AF2A37B122A2C353CFF9186C81AD6195580C0A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000277346Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:45.259{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B20692087D9FA411651976186509A6B,SHA256=505EFBE5401571905E3A074E086DD123AD3FFC254FC8497C2B5BA918A53F08C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000277345Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:45.259{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C6BF11DFD7D6611E1ED5D637E9E3236,SHA256=89964AE4554933E4B760C848D2B877B88DB55CD7ACD6ECA80A634B342FCAACE1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053286Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:01:46.090{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A46659E21F8827006162F94F263E7A34,SHA256=0D95FBD14E179EC51F53822AD3A91831BB7D74946BECFCD08836A7C6341255F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053285Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:01:45.996{53069400-D97D-62DF-1E00-000000007002}1940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=179B82772CA5CC0B7A1E30B10EC3DA68,SHA256=BB39CA45713EEF29F8964A50A9025571F90083A2F6169622A7CAAB4EAC5409CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000277348Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:46.290{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=512DAECBA5192F5A4350669B51066F69,SHA256=2CB12DCB6ECB53E2B1E296759C22E530F66BDC1AD6727C95AA9371A728620DFE,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000053289Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:01:46.052{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal51026-false10.0.1.12-8089- 23542300x800000000000000053288Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:01:47.340{53069400-D97D-62DF-1E00-000000007002}1940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=2071E6273FC109C8C495EDD4283C4369,SHA256=9BC5D9DD6450B71AB6470BF09E93691936378DDDC2C48E3B3C0BA6F8F51A9BDC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053287Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:01:47.074{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C6EA0ECF4D53638C924A6B4644C1097,SHA256=8BC14896D1AD7D53BA1D09DBD9A5470DFE846D76844720441A8D6BACB4ED8CD1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000277358Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:47.875{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277357Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:47.875{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277356Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:47.875{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277355Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:47.875{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277354Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:47.875{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277353Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:47.875{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277352Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:47.875{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277351Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:47.875{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000277350Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:47.391{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C912A7AFD93EBF090CBE4250E5251FE7,SHA256=98D847DFB5F6352F5C9DD9C130AACE944419068C495EA5E95D0B295FDCB98D3A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000277349Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:45.132{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local64957-false10.0.1.12-8000- 23542300x800000000000000053290Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:01:48.168{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50CCE370BEA71EE31C35F999823F77C1,SHA256=8EB0474E92F9810A84B743B36BCB4148776AC959CA228295B7366C204C49E82A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000277818Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.993{F81F30E6-D9BA-62DF-8100-000000006F02}38882172C:\Windows\system32\csrss.exe{F81F30E6-F3CC-62DF-B804-000000006F02}6520C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000277817Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.977{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3CC-62DF-B804-000000006F02}6520C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277816Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.977{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-A304-000000006F02}7076C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277815Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.977{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-A304-000000006F02}7076C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277814Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.977{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-A304-000000006F02}7076C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277813Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.977{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-A304-000000006F02}7076C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277812Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.977{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277811Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.977{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277810Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.977{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277809Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.977{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277808Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.977{F81F30E6-D9BA-62DF-8100-000000006F02}38882172C:\Windows\system32\csrss.exe{F81F30E6-F3CC-62DF-B704-000000006F02}6560C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000277807Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.977{F81F30E6-F163-62DF-1F04-000000006F02}22647940C:\Temp\dcrat.exe{F81F30E6-F3CC-62DF-B704-000000006F02}6560C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\System32\windows.storage.dll+16e7eb|C:\Windows\System32\windows.storage.dll+16e501|C:\Windows\System32\windows.storage.dll+16e14e|C:\Windows\System32\windows.storage.dll+16f3f0|C:\Windows\System32\windows.storage.dll+16de9e|C:\Windows\System32\windows.storage.dll+fce6d|C:\Windows\System32\windows.storage.dll+fd5ac|C:\Windows\System32\windows.storage.dll+fc910|C:\Windows\System32\shell32.dll+49cdf|C:\Windows\System32\shell32.dll+49b6c|C:\Windows\System32\shell32.dll+498bc|C:\Windows\System32\shell32.dll+10d2c7|C:\Windows\System32\shell32.dll+10d225|UNKNOWN(00007FF984B29B5F) 154100x8000000000000000277806Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.977{F81F30E6-F3CC-62DF-B704-000000006F02}6560C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" "C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe"C:\Temp\dcrat.exe" 10341000x8000000000000000277805Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.977{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3CC-62DF-B704-000000006F02}6560C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277804Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.962{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3CC-62DF-AC04-000000006F02}7572C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277803Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.946{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277802Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.946{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277801Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.946{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277800Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.946{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277799Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.946{F81F30E6-D9BA-62DF-8100-000000006F02}38882172C:\Windows\system32\csrss.exe{F81F30E6-F3CC-62DF-B604-000000006F02}7216C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000277798Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.946{F81F30E6-F3CC-62DF-A604-000000006F02}70366612C:\Windows\system32\cmd.exe{F81F30E6-F3CC-62DF-B604-000000006F02}7216C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8564|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000277797Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.959{F81F30E6-F3CC-62DF-B604-000000006F02}7216C:\Windows\System32\notepad.exe10.0.14393.4169 (rs1_release.210107-1130)NotepadMicrosoft® Windows® Operating SystemMicrosoft CorporationNOTEPAD.EXEnotepad.exe C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=BA78FCF8CA9D806C6C047357E31748DE,SHA256=34A07759492E31AEC2A009505FE8DFB50242375C4308AD4657B2872F4F75A077,IMPHASH=968239BE2020F1C0DAFFDCDBD49E9C82{F81F30E6-F3CC-62DF-A604-000000006F02}7036C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" " 10341000x8000000000000000277796Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.946{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3CC-62DF-B604-000000006F02}7216C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277795Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.946{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3CC-62DF-A304-000000006F02}7076C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277794Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.946{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F3CC-62DF-B504-000000006F02}3336C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277793Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.946{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F3CC-62DF-B504-000000006F02}3336C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277792Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.946{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-AF04-000000006F02}7848C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277791Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.946{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-AF04-000000006F02}7848C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277790Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.946{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-AF04-000000006F02}7848C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277789Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.946{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-AF04-000000006F02}7848C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277788Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.946{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F3CC-62DF-B304-000000006F02}5212C:\Windows\system32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277787Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.946{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F3CC-62DF-B304-000000006F02}5212C:\Windows\system32\notepad.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277786Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.930{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3CC-62DF-AC04-000000006F02}7572C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277785Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.930{F81F30E6-F3CC-62DF-B504-000000006F02}33368008C:\Windows\system32\conhost.exe{F81F30E6-F3CC-62DF-B404-000000006F02}8020C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277784Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.930{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3CC-62DF-A304-000000006F02}7076C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277783Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.924{F81F30E6-D9BA-62DF-8100-000000006F02}38884056C:\Windows\system32\csrss.exe{F81F30E6-F3CC-62DF-B504-000000006F02}3336C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000277782Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.908{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-A904-000000006F02}4316C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277781Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.908{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-A904-000000006F02}4316C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277780Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.908{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-A904-000000006F02}4316C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277779Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.908{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3CC-62DF-B504-000000006F02}3336C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277778Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.908{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-A904-000000006F02}4316C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277777Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.908{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277776Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.908{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277775Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.908{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277774Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.908{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277773Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.908{F81F30E6-D9BA-62DF-8100-000000006F02}38884516C:\Windows\system32\csrss.exe{F81F30E6-F3CC-62DF-B404-000000006F02}8020C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000277772Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.908{F81F30E6-F163-62DF-1F04-000000006F02}22642984C:\Temp\dcrat.exe{F81F30E6-F3CC-62DF-B404-000000006F02}8020C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\System32\windows.storage.dll+16e7eb|C:\Windows\System32\windows.storage.dll+16e501|C:\Windows\System32\windows.storage.dll+16e14e|C:\Windows\System32\windows.storage.dll+16f3f0|C:\Windows\System32\windows.storage.dll+16de9e|C:\Windows\System32\windows.storage.dll+fce6d|C:\Windows\System32\windows.storage.dll+fd5ac|C:\Windows\System32\windows.storage.dll+fc910|C:\Windows\System32\shell32.dll+49cdf|C:\Windows\System32\shell32.dll+49b6c|C:\Windows\System32\shell32.dll+498bc|C:\Windows\System32\shell32.dll+10d2c7|C:\Windows\System32\shell32.dll+10d225|UNKNOWN(00007FF984B29B5F) 154100x8000000000000000277771Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.917{F81F30E6-F3CC-62DF-B404-000000006F02}8020C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" "C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe"C:\Temp\dcrat.exe" 10341000x8000000000000000277770Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.908{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3CC-62DF-B404-000000006F02}8020C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277769Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.908{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277768Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.908{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277767Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.908{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277766Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.908{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277765Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.908{F81F30E6-D9BA-62DF-8100-000000006F02}38882172C:\Windows\system32\csrss.exe{F81F30E6-F3CC-62DF-B304-000000006F02}5212C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000277764Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.908{F81F30E6-F3CC-62DF-A404-000000006F02}58446448C:\Windows\system32\cmd.exe{F81F30E6-F3CC-62DF-B304-000000006F02}5212C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8564|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000277763Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.913{F81F30E6-F3CC-62DF-B304-000000006F02}5212C:\Windows\System32\notepad.exe10.0.14393.4169 (rs1_release.210107-1130)NotepadMicrosoft® Windows® Operating SystemMicrosoft CorporationNOTEPAD.EXEnotepad.exe C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=BA78FCF8CA9D806C6C047357E31748DE,SHA256=34A07759492E31AEC2A009505FE8DFB50242375C4308AD4657B2872F4F75A077,IMPHASH=968239BE2020F1C0DAFFDCDBD49E9C82{F81F30E6-F3CC-62DF-A404-000000006F02}5844C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" " 10341000x8000000000000000277762Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.908{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3CC-62DF-B304-000000006F02}5212C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277761Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.908{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3CC-62DF-AA04-000000006F02}3532C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277760Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.893{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-F3CC-62DF-AD04-000000006F02}3400C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277759Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.893{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-AC04-000000006F02}7572C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277758Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.893{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-AC04-000000006F02}7572C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277757Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.893{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-AC04-000000006F02}7572C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277756Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.893{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-AC04-000000006F02}7572C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277755Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.893{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F3CC-62DF-B204-000000006F02}7228C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277754Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.893{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F3CC-62DF-B204-000000006F02}7228C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277753Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.877{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-A304-000000006F02}7076C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277752Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.877{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-A304-000000006F02}7076C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277751Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.877{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-A304-000000006F02}7076C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277750Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.877{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-A304-000000006F02}7076C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277749Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.877{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3CC-62DF-AA04-000000006F02}3532C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277748Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.877{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-A604-000000006F02}7036C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277747Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.877{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-A604-000000006F02}7036C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277746Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.877{F81F30E6-F3CC-62DF-B204-000000006F02}72287548C:\Windows\system32\conhost.exe{F81F30E6-F3CC-62DF-B104-000000006F02}6160C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277745Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.877{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-A604-000000006F02}7036C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277744Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.877{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-A604-000000006F02}7036C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277743Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.877{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F3CC-62DF-B004-000000006F02}4668C:\Windows\system32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277742Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.877{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F3CC-62DF-B004-000000006F02}4668C:\Windows\system32\notepad.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277741Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.861{F81F30E6-D9BA-62DF-8100-000000006F02}38884056C:\Windows\system32\csrss.exe{F81F30E6-F3CC-62DF-B204-000000006F02}7228C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000277740Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.861{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277739Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.846{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277738Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.846{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277737Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.846{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277736Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.846{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3CC-62DF-B204-000000006F02}7228C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277735Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.846{F81F30E6-D9BA-62DF-8100-000000006F02}38884516C:\Windows\system32\csrss.exe{F81F30E6-F3CC-62DF-B104-000000006F02}6160C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000277734Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.846{F81F30E6-F163-62DF-1F04-000000006F02}22647380C:\Temp\dcrat.exe{F81F30E6-F3CC-62DF-B104-000000006F02}6160C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\System32\windows.storage.dll+16e7eb|C:\Windows\System32\windows.storage.dll+16e501|C:\Windows\System32\windows.storage.dll+16e14e|C:\Windows\System32\windows.storage.dll+16f3f0|C:\Windows\System32\windows.storage.dll+16de9e|C:\Windows\System32\windows.storage.dll+fce6d|C:\Windows\System32\windows.storage.dll+fd5ac|C:\Windows\System32\windows.storage.dll+fc910|C:\Windows\System32\shell32.dll+49cdf|C:\Windows\System32\shell32.dll+49b6c|C:\Windows\System32\shell32.dll+498bc|C:\Windows\System32\shell32.dll+10d2c7|C:\Windows\System32\shell32.dll+10d225|UNKNOWN(00007FF984B29B5F) 10341000x8000000000000000277733Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.846{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3CC-62DF-B104-000000006F02}6160C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000277732Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.854{F81F30E6-F3CC-62DF-B104-000000006F02}6160C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" "C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe"C:\Temp\dcrat.exe" 23542300x8000000000000000277731Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.846{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA76DF692EC20E0ABA2980461D17591F,SHA256=2E6B0430243768ADA0BDFF8392DBCEADE7001EE4090131BF5F288F9930C7035A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000277730Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.830{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277729Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.830{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277728Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.830{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277727Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.830{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277726Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.830{F81F30E6-D9BA-62DF-8100-000000006F02}38882172C:\Windows\system32\csrss.exe{F81F30E6-F3CC-62DF-B004-000000006F02}4668C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000277725Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.830{F81F30E6-F3CC-62DF-A104-000000006F02}58927184C:\Windows\system32\cmd.exe{F81F30E6-F3CC-62DF-B004-000000006F02}4668C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8564|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000277724Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.835{F81F30E6-F3CC-62DF-B004-000000006F02}4668C:\Windows\System32\notepad.exe10.0.14393.4169 (rs1_release.210107-1130)NotepadMicrosoft® Windows® Operating SystemMicrosoft CorporationNOTEPAD.EXEnotepad.exe C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=BA78FCF8CA9D806C6C047357E31748DE,SHA256=34A07759492E31AEC2A009505FE8DFB50242375C4308AD4657B2872F4F75A077,IMPHASH=968239BE2020F1C0DAFFDCDBD49E9C82{F81F30E6-F3CC-62DF-A104-000000006F02}5892C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" " 10341000x8000000000000000277723Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.830{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3CC-62DF-B004-000000006F02}4668C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277722Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.828{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F3CC-62DF-AF04-000000006F02}7848C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277721Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.828{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F3CC-62DF-AF04-000000006F02}7848C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277720Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.824{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3CC-62DF-A704-000000006F02}4720C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277719Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.808{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-AA04-000000006F02}3532C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277718Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.808{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-AA04-000000006F02}3532C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277717Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.808{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-AA04-000000006F02}3532C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277716Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.808{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-AA04-000000006F02}3532C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277715Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.808{F81F30E6-F3CC-62DF-AF04-000000006F02}78487764C:\Windows\system32\conhost.exe{F81F30E6-F3CC-62DF-AE04-000000006F02}5716C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277714Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.793{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-F3CC-62DF-A804-000000006F02}6924C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277713Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.777{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3CC-62DF-A704-000000006F02}4720C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277712Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.777{F81F30E6-D9BA-62DF-8100-000000006F02}38884056C:\Windows\system32\csrss.exe{F81F30E6-F3CC-62DF-AF04-000000006F02}7848C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000277711Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.777{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3CC-62DF-AF04-000000006F02}7848C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277710Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.761{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277709Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.761{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277708Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.761{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277707Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.761{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277706Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.761{F81F30E6-D9BA-62DF-8100-000000006F02}38882172C:\Windows\system32\csrss.exe{F81F30E6-F3CC-62DF-AE04-000000006F02}5716C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000277705Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.761{F81F30E6-F163-62DF-1F04-000000006F02}22643008C:\Temp\dcrat.exe{F81F30E6-F3CC-62DF-AE04-000000006F02}5716C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\System32\windows.storage.dll+16e7eb|C:\Windows\System32\windows.storage.dll+16e501|C:\Windows\System32\windows.storage.dll+16e14e|C:\Windows\System32\windows.storage.dll+16f3f0|C:\Windows\System32\windows.storage.dll+16de9e|C:\Windows\System32\windows.storage.dll+fce6d|C:\Windows\System32\windows.storage.dll+fd5ac|C:\Windows\System32\windows.storage.dll+fc910|C:\Windows\System32\shell32.dll+49cdf|C:\Windows\System32\shell32.dll+49b6c|C:\Windows\System32\shell32.dll+498bc|C:\Windows\System32\shell32.dll+10d2c7|C:\Windows\System32\shell32.dll+10d225|UNKNOWN(00007FF984B29B5F) 154100x8000000000000000277704Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.765{F81F30E6-F3CC-62DF-AE04-000000006F02}5716C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" "C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe"C:\Temp\dcrat.exe" 23542300x8000000000000000277703Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.761{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B820CB67CC37F073FB8D59F1B95E3CCE,SHA256=17BD34BC0F7EAEE13F39FAF0F55FFD41E898199BD6242FD80C699CD32A1AE2B5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000277702Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.761{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3CC-62DF-AE04-000000006F02}5716C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277701Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.761{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3CC-62DF-A504-000000006F02}1064C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277700Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.746{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F3CC-62DF-AD04-000000006F02}3400C:\Windows\system32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277699Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.746{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F3CC-62DF-AD04-000000006F02}3400C:\Windows\system32\notepad.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277698Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.746{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F3CC-62DF-AC04-000000006F02}7572C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277697Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.746{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F3CC-62DF-AC04-000000006F02}7572C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277696Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.730{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3CC-62DF-A504-000000006F02}1064C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277695Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.730{F81F30E6-F3CC-62DF-AC04-000000006F02}75722816C:\Windows\system32\conhost.exe{F81F30E6-F3CC-62DF-AB04-000000006F02}7116C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277694Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.730{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3CC-62DF-9E04-000000006F02}6576C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277693Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.729{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-A704-000000006F02}4720C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277692Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.728{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-A704-000000006F02}4720C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277691Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.728{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-A704-000000006F02}4720C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277690Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.728{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-A704-000000006F02}4720C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277689Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.708{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277688Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.708{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277687Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.708{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277686Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.708{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277685Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.708{F81F30E6-D9BA-62DF-8100-000000006F02}38884056C:\Windows\system32\csrss.exe{F81F30E6-F3CC-62DF-AD04-000000006F02}3400C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000277684Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.708{F81F30E6-F3CC-62DF-9F04-000000006F02}78921696C:\Windows\system32\cmd.exe{F81F30E6-F3CC-62DF-AD04-000000006F02}3400C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8564|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000277683Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.718{F81F30E6-F3CC-62DF-AD04-000000006F02}3400C:\Windows\System32\notepad.exe10.0.14393.4169 (rs1_release.210107-1130)NotepadMicrosoft® Windows® Operating SystemMicrosoft CorporationNOTEPAD.EXEnotepad.exe C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=BA78FCF8CA9D806C6C047357E31748DE,SHA256=34A07759492E31AEC2A009505FE8DFB50242375C4308AD4657B2872F4F75A077,IMPHASH=968239BE2020F1C0DAFFDCDBD49E9C82{F81F30E6-F3CC-62DF-9F04-000000006F02}7892C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" " 10341000x8000000000000000277682Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.708{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3CC-62DF-AD04-000000006F02}3400C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277681Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.708{F81F30E6-D9BA-62DF-8100-000000006F02}38882172C:\Windows\system32\csrss.exe{F81F30E6-F3CC-62DF-AC04-000000006F02}7572C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000277680Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.708{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3CC-62DF-AC04-000000006F02}7572C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277679Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.708{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3CC-62DF-9E04-000000006F02}6576C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277678Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.708{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277677Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.708{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277676Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.708{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277675Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.708{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277674Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.708{F81F30E6-D9BA-62DF-8100-000000006F02}38882172C:\Windows\system32\csrss.exe{F81F30E6-F3CC-62DF-AB04-000000006F02}7116C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000277673Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.708{F81F30E6-F163-62DF-1F04-000000006F02}22646620C:\Temp\dcrat.exe{F81F30E6-F3CC-62DF-AB04-000000006F02}7116C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\System32\windows.storage.dll+16e7eb|C:\Windows\System32\windows.storage.dll+16e501|C:\Windows\System32\windows.storage.dll+16e14e|C:\Windows\System32\windows.storage.dll+16f3f0|C:\Windows\System32\windows.storage.dll+16de9e|C:\Windows\System32\windows.storage.dll+fce6d|C:\Windows\System32\windows.storage.dll+fd5ac|C:\Windows\System32\windows.storage.dll+fc910|C:\Windows\System32\shell32.dll+49cdf|C:\Windows\System32\shell32.dll+49b6c|C:\Windows\System32\shell32.dll+498bc|C:\Windows\System32\shell32.dll+10d2c7|C:\Windows\System32\shell32.dll+10d225|UNKNOWN(00007FF984B29B5F) 154100x8000000000000000277672Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.710{F81F30E6-F3CC-62DF-AB04-000000006F02}7116C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" "C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe"C:\Temp\dcrat.exe" 10341000x8000000000000000277671Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.708{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3CC-62DF-AB04-000000006F02}7116C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277670Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.693{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-9E04-000000006F02}6576C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277669Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.693{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-9E04-000000006F02}6576C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277668Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.693{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-9E04-000000006F02}6576C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277667Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.693{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-9E04-000000006F02}6576C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277666Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.693{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-A404-000000006F02}5844C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277665Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.693{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-A404-000000006F02}5844C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277664Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.693{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-A404-000000006F02}5844C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277663Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.693{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-A404-000000006F02}5844C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277662Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.693{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3CC-62DF-A204-000000006F02}4300C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277661Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.693{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F3CC-62DF-AA04-000000006F02}3532C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277660Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.693{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F3CC-62DF-AA04-000000006F02}3532C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277659Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.677{F81F30E6-F3CC-62DF-AA04-000000006F02}35325244C:\Windows\system32\conhost.exe{F81F30E6-F3CC-62DF-A904-000000006F02}4316C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277658Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.662{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-A104-000000006F02}5892C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277657Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.646{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-A104-000000006F02}5892C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277656Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.646{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-A104-000000006F02}5892C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277655Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.646{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F3CC-62DF-A804-000000006F02}6924C:\Windows\system32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277654Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.646{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F3CC-62DF-A804-000000006F02}6924C:\Windows\system32\notepad.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277653Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.646{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-A104-000000006F02}5892C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277652Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.646{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3CC-62DF-A204-000000006F02}4300C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277651Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.630{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-9E04-000000006F02}6576C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277650Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.630{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-9E04-000000006F02}6576C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277649Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.630{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-9E04-000000006F02}6576C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277648Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.630{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-9E04-000000006F02}6576C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277647Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.630{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-A504-000000006F02}1064C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277646Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.630{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-A504-000000006F02}1064C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277645Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.630{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-A504-000000006F02}1064C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277644Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.630{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-A504-000000006F02}1064C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277643Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.630{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-F3CC-62DF-A304-000000006F02}7076C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277642Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.630{F81F30E6-D9BA-62DF-8100-000000006F02}38882172C:\Windows\system32\csrss.exe{F81F30E6-F3CC-62DF-AA04-000000006F02}3532C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000277641Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.624{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3CC-62DF-AA04-000000006F02}3532C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277640Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.608{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277639Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.608{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277638Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.608{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277637Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.608{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277636Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.608{F81F30E6-D9BA-62DF-8100-000000006F02}38884516C:\Windows\system32\csrss.exe{F81F30E6-F3CC-62DF-A904-000000006F02}4316C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000277635Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.608{F81F30E6-F163-62DF-1F04-000000006F02}22646824C:\Temp\dcrat.exe{F81F30E6-F3CC-62DF-A904-000000006F02}4316C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\System32\windows.storage.dll+16e7eb|C:\Windows\System32\windows.storage.dll+16e501|C:\Windows\System32\windows.storage.dll+16e14e|C:\Windows\System32\windows.storage.dll+16f3f0|C:\Windows\System32\windows.storage.dll+16de9e|C:\Windows\System32\windows.storage.dll+fce6d|C:\Windows\System32\windows.storage.dll+fd5ac|C:\Windows\System32\windows.storage.dll+fc910|C:\Windows\System32\shell32.dll+49cdf|C:\Windows\System32\shell32.dll+49b6c|C:\Windows\System32\shell32.dll+498bc|C:\Windows\System32\shell32.dll+10d2c7|C:\Windows\System32\shell32.dll+10d225|UNKNOWN(00007FF984B29B5F) 154100x8000000000000000277634Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.609{F81F30E6-F3CC-62DF-A904-000000006F02}4316C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" "C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe"C:\Temp\dcrat.exe" 10341000x8000000000000000277633Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.608{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3CC-62DF-A904-000000006F02}4316C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277632Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.592{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277631Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.592{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277630Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.592{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277629Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.592{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277628Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.592{F81F30E6-D9BA-62DF-8100-000000006F02}38884516C:\Windows\system32\csrss.exe{F81F30E6-F3CC-62DF-A804-000000006F02}6924C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000277627Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.592{F81F30E6-F3CC-62DF-9C04-000000006F02}73326812C:\Windows\system32\cmd.exe{F81F30E6-F3CC-62DF-A804-000000006F02}6924C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8564|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000277626Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.600{F81F30E6-F3CC-62DF-A804-000000006F02}6924C:\Windows\System32\notepad.exe10.0.14393.4169 (rs1_release.210107-1130)NotepadMicrosoft® Windows® Operating SystemMicrosoft CorporationNOTEPAD.EXEnotepad.exe C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=BA78FCF8CA9D806C6C047357E31748DE,SHA256=34A07759492E31AEC2A009505FE8DFB50242375C4308AD4657B2872F4F75A077,IMPHASH=968239BE2020F1C0DAFFDCDBD49E9C82{F81F30E6-F3CC-62DF-9C04-000000006F02}7332C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" " 10341000x8000000000000000277625Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.592{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3CC-62DF-A804-000000006F02}6924C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277624Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.577{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F3CC-62DF-A704-000000006F02}4720C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277623Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.577{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F3CC-62DF-A704-000000006F02}4720C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277622Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.561{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-A204-000000006F02}4300C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277621Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.561{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-A204-000000006F02}4300C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277620Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.561{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-A204-000000006F02}4300C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277619Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.561{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-A204-000000006F02}4300C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277618Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.561{F81F30E6-F3CC-62DF-A704-000000006F02}47206860C:\Windows\system32\conhost.exe{F81F30E6-F3CC-62DF-A604-000000006F02}7036C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277617Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.561{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3CC-62DF-A004-000000006F02}7944C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277616Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.561{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3CC-62DF-9A04-000000006F02}6844C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000277615Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.561{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA9DE6FFFE9BDE37D7DF413B341B9BC8,SHA256=6B43878FCD36972407C346B7BC058B8C0D96DA38C6B06F4731239BB5D0305047,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000277614Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.546{F81F30E6-D9BA-62DF-8100-000000006F02}38884516C:\Windows\system32\csrss.exe{F81F30E6-F3CC-62DF-A704-000000006F02}4720C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000277613Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.546{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3CC-62DF-A704-000000006F02}4720C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277612Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.546{F81F30E6-D9BA-62DF-8100-000000006F02}38882172C:\Windows\system32\csrss.exe{F81F30E6-F3CC-62DF-A604-000000006F02}7036C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000277611Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.546{F81F30E6-F163-62DF-1F04-000000006F02}22641928C:\Temp\dcrat.exe{F81F30E6-F3CC-62DF-A604-000000006F02}7036C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\System32\windows.storage.dll+16e7eb|C:\Windows\System32\windows.storage.dll+16e501|C:\Windows\System32\windows.storage.dll+16e14e|C:\Windows\System32\windows.storage.dll+16f3f0|C:\Windows\System32\windows.storage.dll+16de9e|C:\Windows\System32\windows.storage.dll+fce6d|C:\Windows\System32\windows.storage.dll+fd5ac|C:\Windows\System32\windows.storage.dll+fc910|C:\Windows\System32\shell32.dll+49cdf|C:\Windows\System32\shell32.dll+49b6c|C:\Windows\System32\shell32.dll+498bc|C:\Windows\System32\shell32.dll+10d2c7|C:\Windows\System32\shell32.dll+10d225|UNKNOWN(00007FF984B29B5F) 10341000x8000000000000000277610Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.546{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277609Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.546{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277608Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.546{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277607Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.546{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000277606Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.546{F81F30E6-F3CC-62DF-A604-000000006F02}7036C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" "C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe"C:\Temp\dcrat.exe" 10341000x8000000000000000277605Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.546{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3CC-62DF-A604-000000006F02}7036C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277604Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.530{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3CC-62DF-A004-000000006F02}7944C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277603Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.530{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3CC-62DF-9A04-000000006F02}6844C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277602Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.506{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-9A04-000000006F02}6844C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277601Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.506{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-9A04-000000006F02}6844C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277600Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.506{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-9A04-000000006F02}6844C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277599Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.506{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-9A04-000000006F02}6844C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277598Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.490{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-9F04-000000006F02}7892C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277597Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.490{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-9F04-000000006F02}7892C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277596Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.490{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-9F04-000000006F02}7892C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277595Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.490{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F3CC-62DF-A504-000000006F02}1064C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277594Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.490{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F3CC-62DF-A504-000000006F02}1064C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277593Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.490{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-9F04-000000006F02}7892C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277592Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.474{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F3CC-62DF-A304-000000006F02}7076C:\Windows\system32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277591Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.474{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F3CC-62DF-A304-000000006F02}7076C:\Windows\system32\notepad.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277590Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.474{F81F30E6-F3CC-62DF-A504-000000006F02}10647560C:\Windows\system32\conhost.exe{F81F30E6-F3CC-62DF-A404-000000006F02}5844C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277589Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.459{F81F30E6-D9BA-62DF-8100-000000006F02}38882172C:\Windows\system32\csrss.exe{F81F30E6-F3CC-62DF-A504-000000006F02}1064C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000277588Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.459{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-9A04-000000006F02}6844C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277587Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.443{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3CC-62DF-A504-000000006F02}1064C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000277586Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.443{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=098479A0AACB0B2432AB623C079D5E87,SHA256=2B3C42775236097441AC7B9E51A50A4055FF7C58ED7BE12BD314797DBB140B99,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000277585Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.443{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-9A04-000000006F02}6844C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277584Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.443{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-9A04-000000006F02}6844C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277583Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.443{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-9A04-000000006F02}6844C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277582Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.427{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277581Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.427{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277580Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.427{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277579Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.427{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277578Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.427{F81F30E6-D9BA-62DF-8100-000000006F02}38882172C:\Windows\system32\csrss.exe{F81F30E6-F3CC-62DF-A404-000000006F02}5844C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000277577Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.427{F81F30E6-F163-62DF-1F04-000000006F02}22646720C:\Temp\dcrat.exe{F81F30E6-F3CC-62DF-A404-000000006F02}5844C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\System32\windows.storage.dll+16e7eb|C:\Windows\System32\windows.storage.dll+16e501|C:\Windows\System32\windows.storage.dll+16e14e|C:\Windows\System32\windows.storage.dll+16f3f0|C:\Windows\System32\windows.storage.dll+16de9e|C:\Windows\System32\windows.storage.dll+fce6d|C:\Windows\System32\windows.storage.dll+fd5ac|C:\Windows\System32\windows.storage.dll+fc910|C:\Windows\System32\shell32.dll+49cdf|C:\Windows\System32\shell32.dll+49b6c|C:\Windows\System32\shell32.dll+498bc|C:\Windows\System32\shell32.dll+10d2c7|C:\Windows\System32\shell32.dll+10d225|UNKNOWN(00007FF984B29B5F) 154100x8000000000000000277576Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.439{F81F30E6-F3CC-62DF-A404-000000006F02}5844C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" "C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe"C:\Temp\dcrat.exe" 10341000x8000000000000000277575Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.427{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3CC-62DF-A404-000000006F02}5844C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277574Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.427{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-A004-000000006F02}7944C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277573Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.427{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-A004-000000006F02}7944C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277572Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.427{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-A004-000000006F02}7944C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277571Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.427{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-A004-000000006F02}7944C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277570Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.427{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3CC-62DF-9D04-000000006F02}7876C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277569Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.427{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277568Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.426{F81F30E6-D9BA-62DF-8100-000000006F02}38884056C:\Windows\system32\csrss.exe{F81F30E6-F3CC-62DF-A304-000000006F02}7076C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000277567Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.426{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277566Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.426{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277565Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.426{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277564Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.425{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3CC-62DF-A304-000000006F02}7076C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277563Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.426{F81F30E6-F3CC-62DF-9904-000000006F02}68287008C:\Windows\system32\cmd.exe{F81F30E6-F3CC-62DF-A304-000000006F02}7076C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8564|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000277562Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.426{F81F30E6-F3CC-62DF-A304-000000006F02}7076C:\Windows\System32\notepad.exe10.0.14393.4169 (rs1_release.210107-1130)NotepadMicrosoft® Windows® Operating SystemMicrosoft CorporationNOTEPAD.EXEnotepad.exe C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=BA78FCF8CA9D806C6C047357E31748DE,SHA256=34A07759492E31AEC2A009505FE8DFB50242375C4308AD4657B2872F4F75A077,IMPHASH=968239BE2020F1C0DAFFDCDBD49E9C82{F81F30E6-F3CC-62DF-9904-000000006F02}6828C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" " 10341000x8000000000000000277561Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.424{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F3CC-62DF-A204-000000006F02}4300C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277560Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.424{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F3CC-62DF-A204-000000006F02}4300C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277559Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.406{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3CC-62DF-9D04-000000006F02}7876C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277558Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.406{F81F30E6-F3CC-62DF-A204-000000006F02}43005732C:\Windows\system32\conhost.exe{F81F30E6-F3CC-62DF-A104-000000006F02}5892C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277557Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.406{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-F3CC-62DF-9E04-000000006F02}6576C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277556Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.390{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-9C04-000000006F02}7332C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277555Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.390{F81F30E6-D9BA-62DF-8100-000000006F02}38884516C:\Windows\system32\csrss.exe{F81F30E6-F3CC-62DF-A204-000000006F02}4300C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000277554Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.390{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3CC-62DF-A204-000000006F02}4300C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277553Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.390{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277552Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.390{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277551Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.390{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277550Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.390{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277549Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.390{F81F30E6-D9BA-62DF-8100-000000006F02}38882172C:\Windows\system32\csrss.exe{F81F30E6-F3CC-62DF-A104-000000006F02}5892C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000277548Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.390{F81F30E6-F163-62DF-1F04-000000006F02}22645436C:\Temp\dcrat.exe{F81F30E6-F3CC-62DF-A104-000000006F02}5892C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\System32\windows.storage.dll+16e7eb|C:\Windows\System32\windows.storage.dll+16e501|C:\Windows\System32\windows.storage.dll+16e14e|C:\Windows\System32\windows.storage.dll+16f3f0|C:\Windows\System32\windows.storage.dll+16de9e|C:\Windows\System32\windows.storage.dll+fce6d|C:\Windows\System32\windows.storage.dll+fd5ac|C:\Windows\System32\windows.storage.dll+fc910|C:\Windows\System32\shell32.dll+49cdf|C:\Windows\System32\shell32.dll+49b6c|C:\Windows\System32\shell32.dll+498bc|C:\Windows\System32\shell32.dll+10d2c7|C:\Windows\System32\shell32.dll+10d225|UNKNOWN(00007FF984B29B5F) 154100x8000000000000000277547Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.398{F81F30E6-F3CC-62DF-A104-000000006F02}5892C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" "C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe"C:\Temp\dcrat.exe" 10341000x8000000000000000277546Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.390{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3CC-62DF-A104-000000006F02}5892C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277545Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.390{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-9C04-000000006F02}7332C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277544Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.390{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-9C04-000000006F02}7332C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277543Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.390{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-9C04-000000006F02}7332C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277542Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.390{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-9C04-000000006F02}7332C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277541Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.375{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-9D04-000000006F02}7876C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277540Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.375{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-9D04-000000006F02}7876C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277539Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.375{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-9D04-000000006F02}7876C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277538Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.375{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-9D04-000000006F02}7876C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277537Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.375{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-9604-000000006F02}7732C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277536Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.375{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-9604-000000006F02}7732C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277535Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.375{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-9604-000000006F02}7732C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277534Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.359{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F3CC-62DF-A004-000000006F02}7944C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277533Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.359{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F3CC-62DF-A004-000000006F02}7944C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277532Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.343{F81F30E6-F3CC-62DF-A004-000000006F02}79447912C:\Windows\system32\conhost.exe{F81F30E6-F3CC-62DF-9F04-000000006F02}7892C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277531Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.328{F81F30E6-D9BA-62DF-8100-000000006F02}38884516C:\Windows\system32\csrss.exe{F81F30E6-F3CC-62DF-A004-000000006F02}7944C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000277530Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.326{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3CC-62DF-A004-000000006F02}7944C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277529Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.325{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3CC-62DF-9B04-000000006F02}1132C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277528Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.325{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3CC-62DF-9604-000000006F02}7732C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277527Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.323{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277526Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.323{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277525Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.322{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277524Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.306{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277523Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.306{F81F30E6-D9BA-62DF-8100-000000006F02}38884056C:\Windows\system32\csrss.exe{F81F30E6-F3CC-62DF-9F04-000000006F02}7892C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000277522Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.306{F81F30E6-F163-62DF-1F04-000000006F02}22644884C:\Temp\dcrat.exe{F81F30E6-F3CC-62DF-9F04-000000006F02}7892C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\System32\windows.storage.dll+16e7eb|C:\Windows\System32\windows.storage.dll+16e501|C:\Windows\System32\windows.storage.dll+16e14e|C:\Windows\System32\windows.storage.dll+16f3f0|C:\Windows\System32\windows.storage.dll+16de9e|C:\Windows\System32\windows.storage.dll+fce6d|C:\Windows\System32\windows.storage.dll+fd5ac|C:\Windows\System32\windows.storage.dll+fc910|C:\Windows\System32\shell32.dll+49cdf|C:\Windows\System32\shell32.dll+49b6c|C:\Windows\System32\shell32.dll+498bc|C:\Windows\System32\shell32.dll+10d2c7|C:\Windows\System32\shell32.dll+10d225|UNKNOWN(00007FF984B29B5F) 154100x8000000000000000277521Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.319{F81F30E6-F3CC-62DF-9F04-000000006F02}7892C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" "C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe"C:\Temp\dcrat.exe" 10341000x8000000000000000277520Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.306{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3CC-62DF-9F04-000000006F02}7892C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277519Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.306{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-9604-000000006F02}7732C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277518Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.306{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3CC-62DF-9604-000000006F02}7732C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277517Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.306{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3CC-62DF-9B04-000000006F02}1132C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277516Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.306{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F3CC-62DF-9E04-000000006F02}6576C:\Windows\system32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277515Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.306{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F3CC-62DF-9E04-000000006F02}6576C:\Windows\system32\notepad.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277514Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.290{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-F3CC-62DF-9A04-000000006F02}6844C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277513Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.290{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-9604-000000006F02}7732C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277512Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.290{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-9604-000000006F02}7732C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277511Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.290{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-9604-000000006F02}7732C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277510Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.290{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-9604-000000006F02}7732C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277509Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.290{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-9904-000000006F02}6828C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277508Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.290{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-9904-000000006F02}6828C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277507Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.290{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-9904-000000006F02}6828C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277506Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.290{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-9904-000000006F02}6828C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277505Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.290{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F3CC-62DF-9D04-000000006F02}7876C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277504Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.290{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F3CC-62DF-9D04-000000006F02}7876C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277503Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.290{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-9604-000000006F02}7732C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277502Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.290{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-9604-000000006F02}7732C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277501Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.290{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-9604-000000006F02}7732C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277500Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.290{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-9604-000000006F02}7732C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277499Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.275{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277498Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.275{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277497Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.275{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277496Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.275{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277495Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.275{F81F30E6-D9BA-62DF-8100-000000006F02}38884056C:\Windows\system32\csrss.exe{F81F30E6-F3CC-62DF-9E04-000000006F02}6576C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000277494Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.275{F81F30E6-F3CC-62DF-9704-000000006F02}28522872C:\Windows\system32\cmd.exe{F81F30E6-F3CC-62DF-9E04-000000006F02}6576C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8564|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000277493Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.284{F81F30E6-F3CC-62DF-9E04-000000006F02}6576C:\Windows\System32\notepad.exe10.0.14393.4169 (rs1_release.210107-1130)NotepadMicrosoft® Windows® Operating SystemMicrosoft CorporationNOTEPAD.EXEnotepad.exe C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=BA78FCF8CA9D806C6C047357E31748DE,SHA256=34A07759492E31AEC2A009505FE8DFB50242375C4308AD4657B2872F4F75A077,IMPHASH=968239BE2020F1C0DAFFDCDBD49E9C82{F81F30E6-F3CC-62DF-9704-000000006F02}2852C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" " 10341000x8000000000000000277492Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.275{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3CC-62DF-9E04-000000006F02}6576C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277491Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.275{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-9B04-000000006F02}1132C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277490Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.275{F81F30E6-F3CC-62DF-9D04-000000006F02}78762540C:\Windows\system32\conhost.exe{F81F30E6-F3CC-62DF-9C04-000000006F02}7332C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277489Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.275{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-9B04-000000006F02}1132C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277488Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.275{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-9B04-000000006F02}1132C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277487Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.275{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-9B04-000000006F02}1132C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277486Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.259{F81F30E6-D9BA-62DF-8100-000000006F02}38882172C:\Windows\system32\csrss.exe{F81F30E6-F3CC-62DF-9D04-000000006F02}7876C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000277485Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.259{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3CC-62DF-9D04-000000006F02}7876C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277484Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.244{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277483Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.244{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277482Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.244{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277481Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.244{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277480Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.244{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3CC-62DF-9C04-000000006F02}7332C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277479Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.244{F81F30E6-D9BA-62DF-8100-000000006F02}38884516C:\Windows\system32\csrss.exe{F81F30E6-F3CC-62DF-9C04-000000006F02}7332C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000277478Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.244{F81F30E6-F163-62DF-1F04-000000006F02}22645136C:\Temp\dcrat.exe{F81F30E6-F3CC-62DF-9C04-000000006F02}7332C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\System32\windows.storage.dll+16e7eb|C:\Windows\System32\windows.storage.dll+16e501|C:\Windows\System32\windows.storage.dll+16e14e|C:\Windows\System32\windows.storage.dll+16f3f0|C:\Windows\System32\windows.storage.dll+16de9e|C:\Windows\System32\windows.storage.dll+fce6d|C:\Windows\System32\windows.storage.dll+fd5ac|C:\Windows\System32\windows.storage.dll+fc910|C:\Windows\System32\shell32.dll+49cdf|C:\Windows\System32\shell32.dll+49b6c|C:\Windows\System32\shell32.dll+498bc|C:\Windows\System32\shell32.dll+10d2c7|C:\Windows\System32\shell32.dll+10d225|UNKNOWN(00007FF984B29B5F) 154100x8000000000000000277477Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.257{F81F30E6-F3CC-62DF-9C04-000000006F02}7332C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" "C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe"C:\Temp\dcrat.exe" 354300x8000000000000000277476Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:45.609{F81F30E6-D978-62DF-0100-000000006F02}4SystemNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.255-138netbios-dgmfalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local138netbios-dgm 354300x8000000000000000277475Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:45.609{F81F30E6-D978-62DF-0100-000000006F02}4SystemNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local138netbios-dgmfalse10.0.1.255-138netbios-dgm 10341000x8000000000000000277474Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.244{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-9704-000000006F02}2852C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277473Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.244{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-9704-000000006F02}2852C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277472Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.244{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-9704-000000006F02}2852C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277471Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.228{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F3CC-62DF-9A04-000000006F02}6844C:\Windows\system32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277470Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.228{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F3CC-62DF-9A04-000000006F02}6844C:\Windows\system32\notepad.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277469Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.228{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3CC-62DF-9804-000000006F02}1240C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277468Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.228{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F3CC-62DF-9B04-000000006F02}1132C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277467Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.228{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F3CC-62DF-9B04-000000006F02}1132C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277466Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.228{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3CC-62DF-9804-000000006F02}1240C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000277465Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.228{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18D8AF32550175F831EB7818FC6A9E5E,SHA256=70D2F0E6E7E56CD5C371D62B6D9BF1B4089B879F00936BB0425D9A7CCB6E35B3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000277464Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.228{F81F30E6-F3CC-62DF-9B04-000000006F02}11324524C:\Windows\system32\conhost.exe{F81F30E6-F3CC-62DF-9904-000000006F02}6828C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277463Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.226{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-9704-000000006F02}2852C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277462Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.206{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-9704-000000006F02}2852C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277461Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.206{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-F3CC-62DF-9604-000000006F02}7732C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277460Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.206{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-9704-000000006F02}2852C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277459Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.206{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-9704-000000006F02}2852C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277458Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.206{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-9704-000000006F02}2852C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277457Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.206{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-9804-000000006F02}1240C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277456Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.206{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-9804-000000006F02}1240C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277455Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.206{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-9804-000000006F02}1240C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277454Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.206{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-9804-000000006F02}1240C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277453Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.206{F81F30E6-D9BA-62DF-8100-000000006F02}38882172C:\Windows\system32\csrss.exe{F81F30E6-F3CC-62DF-9B04-000000006F02}1132C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000277452Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.206{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277451Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.206{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277450Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.206{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277449Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.206{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277448Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.206{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3CC-62DF-9B04-000000006F02}1132C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277447Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.206{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277446Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.206{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277445Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.206{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277444Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.206{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277443Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.206{F81F30E6-D9BA-62DF-8100-000000006F02}38882172C:\Windows\system32\csrss.exe{F81F30E6-F3CC-62DF-9A04-000000006F02}6844C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000277442Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.206{F81F30E6-D9BA-62DF-8100-000000006F02}38884516C:\Windows\system32\csrss.exe{F81F30E6-F3CC-62DF-9904-000000006F02}6828C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000277441Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.206{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3CC-62DF-9A04-000000006F02}6844C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277440Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.206{F81F30E6-F163-62DF-1F04-000000006F02}22647188C:\Temp\dcrat.exe{F81F30E6-F3CC-62DF-9904-000000006F02}6828C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\System32\windows.storage.dll+16e7eb|C:\Windows\System32\windows.storage.dll+16e501|C:\Windows\System32\windows.storage.dll+16e14e|C:\Windows\System32\windows.storage.dll+16f3f0|C:\Windows\System32\windows.storage.dll+16de9e|C:\Windows\System32\windows.storage.dll+fce6d|C:\Windows\System32\windows.storage.dll+fd5ac|C:\Windows\System32\windows.storage.dll+fc910|C:\Windows\System32\shell32.dll+49cdf|C:\Windows\System32\shell32.dll+49b6c|C:\Windows\System32\shell32.dll+498bc|C:\Windows\System32\shell32.dll+10d2c7|C:\Windows\System32\shell32.dll+10d225|UNKNOWN(00007FF984B29B5F) 10341000x8000000000000000277439Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.206{F81F30E6-F3CC-62DF-9404-000000006F02}49486928C:\Windows\system32\cmd.exe{F81F30E6-F3CC-62DF-9A04-000000006F02}6844C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8564|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000277438Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.207{F81F30E6-F3CC-62DF-9A04-000000006F02}6844C:\Windows\System32\notepad.exe10.0.14393.4169 (rs1_release.210107-1130)NotepadMicrosoft® Windows® Operating SystemMicrosoft CorporationNOTEPAD.EXEnotepad.exe C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=BA78FCF8CA9D806C6C047357E31748DE,SHA256=34A07759492E31AEC2A009505FE8DFB50242375C4308AD4657B2872F4F75A077,IMPHASH=968239BE2020F1C0DAFFDCDBD49E9C82{F81F30E6-F3CC-62DF-9404-000000006F02}4948C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" " 154100x8000000000000000277437Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.207{F81F30E6-F3CC-62DF-9904-000000006F02}6828C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" "C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe"C:\Temp\dcrat.exe" 10341000x8000000000000000277436Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.206{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3CC-62DF-9904-000000006F02}6828C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277435Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.190{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F3CC-62DF-9804-000000006F02}1240C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277434Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.190{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F3CC-62DF-9804-000000006F02}1240C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277433Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.190{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-9404-000000006F02}4948C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277432Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.190{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-9404-000000006F02}4948C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277431Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.190{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-9404-000000006F02}4948C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277430Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.190{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F3CC-62DF-9604-000000006F02}7732C:\Windows\system32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277429Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.190{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F3CC-62DF-9604-000000006F02}7732C:\Windows\system32\notepad.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277428Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.175{F81F30E6-F3CC-62DF-9804-000000006F02}12407176C:\Windows\system32\conhost.exe{F81F30E6-F3CC-62DF-9704-000000006F02}2852C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277427Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.175{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3CC-62DF-9504-000000006F02}6556C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277426Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.175{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3CC-62DF-9504-000000006F02}6556C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277425Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.159{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-9404-000000006F02}4948C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277424Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.159{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-9404-000000006F02}4948C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277423Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.159{F81F30E6-D9BA-62DF-8100-000000006F02}38882172C:\Windows\system32\csrss.exe{F81F30E6-F3CC-62DF-9804-000000006F02}1240C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000277422Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.159{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-9404-000000006F02}4948C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277421Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.159{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-9404-000000006F02}4948C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277420Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.159{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-9404-000000006F02}4948C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277419Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.159{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-9504-000000006F02}6556C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277418Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.159{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-9504-000000006F02}6556C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277417Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.159{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-9504-000000006F02}6556C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277416Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.159{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-9504-000000006F02}6556C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277415Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.159{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3CC-62DF-9804-000000006F02}1240C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277414Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.144{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277413Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.144{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277412Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.144{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277411Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.144{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277410Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.144{F81F30E6-D9BA-62DF-8100-000000006F02}38884516C:\Windows\system32\csrss.exe{F81F30E6-F3CC-62DF-9704-000000006F02}2852C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000277409Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.144{F81F30E6-F163-62DF-1F04-000000006F02}22646168C:\Temp\dcrat.exe{F81F30E6-F3CC-62DF-9704-000000006F02}2852C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\System32\windows.storage.dll+16e7eb|C:\Windows\System32\windows.storage.dll+16e501|C:\Windows\System32\windows.storage.dll+16e14e|C:\Windows\System32\windows.storage.dll+16f3f0|C:\Windows\System32\windows.storage.dll+16de9e|C:\Windows\System32\windows.storage.dll+fce6d|C:\Windows\System32\windows.storage.dll+fd5ac|C:\Windows\System32\windows.storage.dll+fc910|C:\Windows\System32\shell32.dll+49cdf|C:\Windows\System32\shell32.dll+49b6c|C:\Windows\System32\shell32.dll+498bc|C:\Windows\System32\shell32.dll+10d2c7|C:\Windows\System32\shell32.dll+10d225|UNKNOWN(00007FF984B29B5F) 154100x8000000000000000277408Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.150{F81F30E6-F3CC-62DF-9704-000000006F02}2852C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" "C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe"C:\Temp\dcrat.exe" 10341000x8000000000000000277407Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.144{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3CC-62DF-9704-000000006F02}2852C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277406Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.144{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277405Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.144{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277404Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.144{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277403Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.144{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277402Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.144{F81F30E6-D9BA-62DF-8100-000000006F02}38884056C:\Windows\system32\csrss.exe{F81F30E6-F3CC-62DF-9604-000000006F02}7732C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000277401Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.128{F81F30E6-F3CC-62DF-9204-000000006F02}72608036C:\Windows\system32\cmd.exe{F81F30E6-F3CC-62DF-9604-000000006F02}7732C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8564|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000277400Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.142{F81F30E6-F3CC-62DF-9604-000000006F02}7732C:\Windows\System32\notepad.exe10.0.14393.4169 (rs1_release.210107-1130)NotepadMicrosoft® Windows® Operating SystemMicrosoft CorporationNOTEPAD.EXEnotepad.exe C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=BA78FCF8CA9D806C6C047357E31748DE,SHA256=34A07759492E31AEC2A009505FE8DFB50242375C4308AD4657B2872F4F75A077,IMPHASH=968239BE2020F1C0DAFFDCDBD49E9C82{F81F30E6-F3CC-62DF-9204-000000006F02}7260C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" " 10341000x8000000000000000277399Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.128{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3CC-62DF-9604-000000006F02}7732C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277398Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.128{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F3CC-62DF-9504-000000006F02}6556C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277397Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.128{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F3CC-62DF-9504-000000006F02}6556C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277396Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.124{F81F30E6-F3CC-62DF-9504-000000006F02}65563716C:\Windows\system32\conhost.exe{F81F30E6-F3CC-62DF-9404-000000006F02}4948C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277395Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.106{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-9204-000000006F02}7260C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277394Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.106{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-9204-000000006F02}7260C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277393Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.106{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-9204-000000006F02}7260C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277392Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.106{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3CC-62DF-9304-000000006F02}7268C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277391Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.106{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3CC-62DF-9304-000000006F02}7268C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277390Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.090{F81F30E6-D9BA-62DF-8100-000000006F02}38882172C:\Windows\system32\csrss.exe{F81F30E6-F3CC-62DF-9504-000000006F02}6556C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000277389Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.090{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3CC-62DF-9504-000000006F02}6556C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277388Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.090{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-9204-000000006F02}7260C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277387Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.090{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277386Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.090{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277385Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.090{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277384Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.090{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277383Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.090{F81F30E6-D9BA-62DF-8100-000000006F02}38884056C:\Windows\system32\csrss.exe{F81F30E6-F3CC-62DF-9404-000000006F02}4948C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000277382Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.090{F81F30E6-F163-62DF-1F04-000000006F02}22644360C:\Temp\dcrat.exe{F81F30E6-F3CC-62DF-9404-000000006F02}4948C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\System32\windows.storage.dll+16e7eb|C:\Windows\System32\windows.storage.dll+16e501|C:\Windows\System32\windows.storage.dll+16e14e|C:\Windows\System32\windows.storage.dll+16f3f0|C:\Windows\System32\windows.storage.dll+16de9e|C:\Windows\System32\windows.storage.dll+fce6d|C:\Windows\System32\windows.storage.dll+fd5ac|C:\Windows\System32\windows.storage.dll+fc910|C:\Windows\System32\shell32.dll+49cdf|C:\Windows\System32\shell32.dll+49b6c|C:\Windows\System32\shell32.dll+498bc|C:\Windows\System32\shell32.dll+10d2c7|C:\Windows\System32\shell32.dll+10d225|UNKNOWN(00007FF984B29B5F) 154100x8000000000000000277381Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.094{F81F30E6-F3CC-62DF-9404-000000006F02}4948C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" "C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe"C:\Temp\dcrat.exe" 10341000x8000000000000000277380Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.090{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3CC-62DF-9404-000000006F02}4948C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277379Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.090{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-9204-000000006F02}7260C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277378Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.074{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-9204-000000006F02}7260C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277377Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.074{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-9204-000000006F02}7260C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277376Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.074{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-9204-000000006F02}7260C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277375Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.074{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-9304-000000006F02}7268C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277374Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.074{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-9304-000000006F02}7268C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277373Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.074{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-9304-000000006F02}7268C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277372Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.074{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-9304-000000006F02}7268C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277371Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.059{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F3CC-62DF-9304-000000006F02}7268C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277370Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.059{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F3CC-62DF-9304-000000006F02}7268C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277369Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.059{F81F30E6-F3CC-62DF-9304-000000006F02}72686012C:\Windows\system32\conhost.exe{F81F30E6-F3CC-62DF-9204-000000006F02}7260C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277368Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.043{F81F30E6-D9BA-62DF-8100-000000006F02}38882172C:\Windows\system32\csrss.exe{F81F30E6-F3CC-62DF-9304-000000006F02}7268C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000277367Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.043{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3CC-62DF-9304-000000006F02}7268C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277366Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.043{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277365Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.043{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277364Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.043{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277363Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.043{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277362Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.043{F81F30E6-D9BA-62DF-8100-000000006F02}38884056C:\Windows\system32\csrss.exe{F81F30E6-F3CC-62DF-9204-000000006F02}7260C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000277361Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.043{F81F30E6-F163-62DF-1F04-000000006F02}22647452C:\Temp\dcrat.exe{F81F30E6-F3CC-62DF-9204-000000006F02}7260C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\System32\windows.storage.dll+16e7eb|C:\Windows\System32\windows.storage.dll+16e501|C:\Windows\System32\windows.storage.dll+16e14e|C:\Windows\System32\windows.storage.dll+16f3f0|C:\Windows\System32\windows.storage.dll+16de9e|C:\Windows\System32\windows.storage.dll+fce6d|C:\Windows\System32\windows.storage.dll+fd5ac|C:\Windows\System32\windows.storage.dll+fc910|C:\Windows\System32\shell32.dll+49cdf|C:\Windows\System32\shell32.dll+49b6c|C:\Windows\System32\shell32.dll+498bc|C:\Windows\System32\shell32.dll+10d2c7|C:\Windows\System32\shell32.dll+10d225|UNKNOWN(00007FF984B29B5F) 154100x8000000000000000277360Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.047{F81F30E6-F3CC-62DF-9204-000000006F02}7260C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" "C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe"C:\Temp\dcrat.exe" 10341000x8000000000000000277359Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.043{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3CC-62DF-9204-000000006F02}7260C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000053292Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:01:48.208{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal51027-false10.0.1.12-8000- 23542300x800000000000000053291Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:01:49.261{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4A3CAD071F089662574C3E2DB026D19,SHA256=547D10F0034AE7B8D0E0F73227383EA89D96226BA3C63808C4EDF72F6273B797,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000278106Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.708{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3CD-62DF-C104-000000006F02}2812C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278105Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.708{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-F3CD-62DF-C104-000000006F02}2812C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278104Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.708{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3CD-62DF-C104-000000006F02}2812C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278103Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.708{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3CD-62DF-C104-000000006F02}2812C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278102Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.692{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CD-62DF-C104-000000006F02}2812C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278101Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.692{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CD-62DF-C104-000000006F02}2812C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278100Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.692{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CD-62DF-C104-000000006F02}2812C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278099Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.692{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CD-62DF-C104-000000006F02}2812C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000278098Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.692{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8AEDBD48FF45B48D02AA079DFA954790,SHA256=19379134F146547C8954AE6468C17B27DC83713D528C656CBD72B3E0B60F17D4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000278097Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.676{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CD-62DF-C004-000000006F02}1916C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278096Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.676{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CD-62DF-C004-000000006F02}1916C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278095Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.676{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CD-62DF-C004-000000006F02}1916C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278094Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.676{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CD-62DF-C004-000000006F02}1916C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278093Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.676{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CD-62DF-BF04-000000006F02}6668C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278092Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.676{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CD-62DF-BF04-000000006F02}6668C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278091Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.676{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CD-62DF-BF04-000000006F02}6668C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278090Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.676{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CD-62DF-BF04-000000006F02}6668C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278089Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.661{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CD-62DF-BE04-000000006F02}2412C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278088Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.661{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CD-62DF-BE04-000000006F02}2412C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278087Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.661{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CD-62DF-BE04-000000006F02}2412C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278086Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.661{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CD-62DF-BE04-000000006F02}2412C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278085Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.645{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3CD-62DF-C104-000000006F02}2812C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278084Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.645{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CD-62DF-BD04-000000006F02}6524C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278083Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.645{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CD-62DF-BD04-000000006F02}6524C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278082Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.645{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CD-62DF-BD04-000000006F02}6524C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278081Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.645{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3CD-62DF-C104-000000006F02}2812C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278080Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.645{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CD-62DF-BD04-000000006F02}6524C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278079Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.645{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3CD-62DF-C004-000000006F02}1916C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278078Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.629{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3CD-62DF-C004-000000006F02}1916C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278077Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.629{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CD-62DF-C104-000000006F02}2812C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278076Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.629{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CD-62DF-C104-000000006F02}2812C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278075Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.629{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CD-62DF-C104-000000006F02}2812C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278074Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.629{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CD-62DF-C104-000000006F02}2812C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278073Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.626{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CD-62DF-BC04-000000006F02}7532C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278072Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.625{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CD-62DF-BC04-000000006F02}7532C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278071Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.625{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CD-62DF-BC04-000000006F02}7532C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278070Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.624{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CD-62DF-BC04-000000006F02}7532C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278069Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.608{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3CD-62DF-BF04-000000006F02}6668C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278068Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.608{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3CD-62DF-BF04-000000006F02}6668C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278067Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.608{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CD-62DF-C004-000000006F02}1916C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278066Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.608{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CD-62DF-C004-000000006F02}1916C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278065Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.608{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CD-62DF-C004-000000006F02}1916C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278064Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.608{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CD-62DF-C004-000000006F02}1916C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278063Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.592{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3CD-62DF-BE04-000000006F02}2412C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278062Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.577{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CD-62DF-BF04-000000006F02}6668C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278061Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.577{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CD-62DF-BF04-000000006F02}6668C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278060Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.577{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CD-62DF-BF04-000000006F02}6668C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278059Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.577{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CD-62DF-BF04-000000006F02}6668C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278058Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.561{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3CD-62DF-BE04-000000006F02}2412C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278057Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.561{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CD-62DF-BB04-000000006F02}6536C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278056Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.561{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CD-62DF-BB04-000000006F02}6536C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278055Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.561{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CD-62DF-BB04-000000006F02}6536C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278054Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.561{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CD-62DF-BB04-000000006F02}6536C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000278053Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.561{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0514714657D0239DC68CD41FC60D483F,SHA256=365FC7C50EBD58428D25DB0AFD9F0360E5CC7B9FAB76ED3318106AD8B3218BB6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000278052Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.545{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3CD-62DF-BD04-000000006F02}6524C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278051Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.545{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CD-62DF-BE04-000000006F02}2412C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278050Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.545{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CD-62DF-BE04-000000006F02}2412C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278049Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.545{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CD-62DF-BE04-000000006F02}2412C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278048Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.545{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CD-62DF-BE04-000000006F02}2412C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278047Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.530{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3CD-62DF-BD04-000000006F02}6524C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278046Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.530{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-B604-000000006F02}7216C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278045Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.530{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-B604-000000006F02}7216C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278044Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.530{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-B604-000000006F02}7216C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278043Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.530{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-B604-000000006F02}7216C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278042Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.508{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-F3CD-62DF-C104-000000006F02}2812C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278041Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.508{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3CD-62DF-BC04-000000006F02}7532C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278040Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.492{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CD-62DF-BD04-000000006F02}6524C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278039Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.492{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CD-62DF-BD04-000000006F02}6524C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278038Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.492{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CD-62DF-BD04-000000006F02}6524C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278037Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.492{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CD-62DF-BD04-000000006F02}6524C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278036Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.492{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-B304-000000006F02}5212C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278035Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.492{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-B304-000000006F02}5212C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278034Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.492{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-B304-000000006F02}5212C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278033Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.492{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-B304-000000006F02}5212C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278032Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.477{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3CD-62DF-BC04-000000006F02}7532C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278031Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.477{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-F3CD-62DF-C004-000000006F02}1916C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278030Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.461{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3CD-62DF-BB04-000000006F02}6536C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278029Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.445{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CD-62DF-BC04-000000006F02}7532C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278028Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.445{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CD-62DF-BC04-000000006F02}7532C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278027Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.445{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CD-62DF-BC04-000000006F02}7532C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278026Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.445{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CD-62DF-BC04-000000006F02}7532C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000278025Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.445{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9FE6A41A68B19C87F232848D676B2BB3,SHA256=7D7F099264BA409C6912CACD28A7C06115527D929CAD720F74A35D6BFFCC526F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000278024Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.445{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-F3CD-62DF-BF04-000000006F02}6668C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278023Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.445{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3CD-62DF-BB04-000000006F02}6536C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278022Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.429{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F3CD-62DF-C104-000000006F02}2812C:\Windows\system32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278021Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.429{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F3CD-62DF-C104-000000006F02}2812C:\Windows\system32\notepad.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278020Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.426{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-B004-000000006F02}4668C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278019Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.425{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-B004-000000006F02}4668C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278018Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.425{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-B004-000000006F02}4668C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278017Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.424{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-B004-000000006F02}4668C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278016Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.408{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3CC-62DF-B604-000000006F02}7216C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278015Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.408{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CD-62DF-B904-000000006F02}8068C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278014Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.408{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CD-62DF-B904-000000006F02}8068C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278013Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.408{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CD-62DF-B904-000000006F02}8068C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278012Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.408{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CD-62DF-B904-000000006F02}8068C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278011Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.408{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CD-62DF-BB04-000000006F02}6536C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278010Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.408{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-F3CD-62DF-BE04-000000006F02}2412C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278009Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.408{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CD-62DF-BB04-000000006F02}6536C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278008Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.408{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CD-62DF-BB04-000000006F02}6536C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278007Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.408{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CD-62DF-BB04-000000006F02}6536C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278006Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.392{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278005Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.392{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278004Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.392{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278003Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.392{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278002Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.392{F81F30E6-D9BA-62DF-8100-000000006F02}38884056C:\Windows\system32\csrss.exe{F81F30E6-F3CD-62DF-C104-000000006F02}2812C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000278001Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.392{F81F30E6-F3CD-62DF-B904-000000006F02}8068292C:\Windows\system32\cmd.exe{F81F30E6-F3CD-62DF-C104-000000006F02}2812C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8564|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000278000Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.402{F81F30E6-F3CD-62DF-C104-000000006F02}2812C:\Windows\System32\notepad.exe10.0.14393.4169 (rs1_release.210107-1130)NotepadMicrosoft® Windows® Operating SystemMicrosoft CorporationNOTEPAD.EXEnotepad.exe C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=BA78FCF8CA9D806C6C047357E31748DE,SHA256=34A07759492E31AEC2A009505FE8DFB50242375C4308AD4657B2872F4F75A077,IMPHASH=968239BE2020F1C0DAFFDCDBD49E9C82{F81F30E6-F3CD-62DF-B904-000000006F02}8068C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" " 10341000x8000000000000000277999Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.392{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3CD-62DF-C104-000000006F02}2812C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277998Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.392{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3CC-62DF-B604-000000006F02}7216C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277997Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.377{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F3CD-62DF-C004-000000006F02}1916C:\Windows\system32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277996Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.377{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F3CD-62DF-C004-000000006F02}1916C:\Windows\system32\notepad.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277995Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.377{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3CC-62DF-B304-000000006F02}5212C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277994Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.346{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3CC-62DF-B304-000000006F02}5212C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277993Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.346{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-B604-000000006F02}7216C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277992Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.346{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-B604-000000006F02}7216C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277991Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.346{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-B604-000000006F02}7216C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277990Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.346{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-B604-000000006F02}7216C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277989Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.346{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277988Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.346{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277987Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.346{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277986Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.346{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277985Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.346{F81F30E6-D9BA-62DF-8100-000000006F02}38884056C:\Windows\system32\csrss.exe{F81F30E6-F3CD-62DF-C004-000000006F02}1916C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000277984Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.346{F81F30E6-F3CC-62DF-B704-000000006F02}65605284C:\Windows\system32\cmd.exe{F81F30E6-F3CD-62DF-C004-000000006F02}1916C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8564|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000277983Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.352{F81F30E6-F3CD-62DF-C004-000000006F02}1916C:\Windows\System32\notepad.exe10.0.14393.4169 (rs1_release.210107-1130)NotepadMicrosoft® Windows® Operating SystemMicrosoft CorporationNOTEPAD.EXEnotepad.exe C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=BA78FCF8CA9D806C6C047357E31748DE,SHA256=34A07759492E31AEC2A009505FE8DFB50242375C4308AD4657B2872F4F75A077,IMPHASH=968239BE2020F1C0DAFFDCDBD49E9C82{F81F30E6-F3CC-62DF-B704-000000006F02}6560C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" " 10341000x8000000000000000277982Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.346{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3CD-62DF-C004-000000006F02}1916C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277981Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.346{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-F3CD-62DF-BD04-000000006F02}6524C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277980Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.346{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-B704-000000006F02}6560C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277979Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.346{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-B704-000000006F02}6560C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277978Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.346{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-B704-000000006F02}6560C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277977Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.330{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-B704-000000006F02}6560C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277976Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.330{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F3CD-62DF-BF04-000000006F02}6668C:\Windows\system32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277975Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.330{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F3CD-62DF-BF04-000000006F02}6668C:\Windows\system32\notepad.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277974Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.330{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-AD04-000000006F02}3400C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277973Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.330{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-AD04-000000006F02}3400C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277972Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.330{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-AD04-000000006F02}3400C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277971Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.330{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-AD04-000000006F02}3400C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277970Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.308{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-B304-000000006F02}5212C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277969Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.308{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-B304-000000006F02}5212C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277968Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.308{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-B304-000000006F02}5212C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277967Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.308{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-B304-000000006F02}5212C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277966Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.308{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3CC-62DF-B004-000000006F02}4668C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277965Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.308{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277964Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.308{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277963Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.308{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277962Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.308{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277961Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.308{F81F30E6-D9BA-62DF-8100-000000006F02}38884516C:\Windows\system32\csrss.exe{F81F30E6-F3CD-62DF-BF04-000000006F02}6668C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000277960Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.308{F81F30E6-F3CC-62DF-B404-000000006F02}80206100C:\Windows\system32\cmd.exe{F81F30E6-F3CD-62DF-BF04-000000006F02}6668C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8564|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000277959Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.311{F81F30E6-F3CD-62DF-BF04-000000006F02}6668C:\Windows\System32\notepad.exe10.0.14393.4169 (rs1_release.210107-1130)NotepadMicrosoft® Windows® Operating SystemMicrosoft CorporationNOTEPAD.EXEnotepad.exe C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=BA78FCF8CA9D806C6C047357E31748DE,SHA256=34A07759492E31AEC2A009505FE8DFB50242375C4308AD4657B2872F4F75A077,IMPHASH=968239BE2020F1C0DAFFDCDBD49E9C82{F81F30E6-F3CC-62DF-B404-000000006F02}8020C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" " 10341000x8000000000000000277958Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.308{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3CD-62DF-BF04-000000006F02}6668C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000277957Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.293{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77E9E028E1473A5F2EF71BB6D204E0E8,SHA256=7CC4BDF43BBA877EA2608582F4D46BE53BD7DD6DB824940A9EB436DC1EC6C459,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000277956Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.293{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F3CD-62DF-BE04-000000006F02}2412C:\Windows\system32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277955Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.277{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F3CD-62DF-BE04-000000006F02}2412C:\Windows\system32\notepad.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277954Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.277{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3CC-62DF-B004-000000006F02}4668C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277953Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.277{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3CD-62DF-BA04-000000006F02}4748C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277952Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.277{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-F3CD-62DF-BC04-000000006F02}7532C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277951Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.261{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-B404-000000006F02}8020C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277950Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.261{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-B404-000000006F02}8020C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277949Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.261{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-B404-000000006F02}8020C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277948Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.261{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-B404-000000006F02}8020C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277947Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.261{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3CD-62DF-BA04-000000006F02}4748C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277946Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.261{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277945Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.261{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277944Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.261{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277943Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.261{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277942Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.261{F81F30E6-D9BA-62DF-8100-000000006F02}38882172C:\Windows\system32\csrss.exe{F81F30E6-F3CD-62DF-BE04-000000006F02}2412C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000277941Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.261{F81F30E6-F3CC-62DF-B104-000000006F02}61603680C:\Windows\system32\cmd.exe{F81F30E6-F3CD-62DF-BE04-000000006F02}2412C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8564|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000277940Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.263{F81F30E6-F3CD-62DF-BE04-000000006F02}2412C:\Windows\System32\notepad.exe10.0.14393.4169 (rs1_release.210107-1130)NotepadMicrosoft® Windows® Operating SystemMicrosoft CorporationNOTEPAD.EXEnotepad.exe C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=BA78FCF8CA9D806C6C047357E31748DE,SHA256=34A07759492E31AEC2A009505FE8DFB50242375C4308AD4657B2872F4F75A077,IMPHASH=968239BE2020F1C0DAFFDCDBD49E9C82{F81F30E6-F3CC-62DF-B104-000000006F02}6160C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" " 10341000x8000000000000000277939Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.261{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3CD-62DF-BE04-000000006F02}2412C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277938Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.246{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-A804-000000006F02}6924C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277937Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.246{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-A804-000000006F02}6924C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277936Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.246{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-A804-000000006F02}6924C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277935Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.246{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-A804-000000006F02}6924C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277934Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.246{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-B004-000000006F02}4668C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277933Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.246{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-B004-000000006F02}4668C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277932Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.246{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-B004-000000006F02}4668C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277931Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.246{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-B004-000000006F02}4668C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277930Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.246{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3CC-62DF-B804-000000006F02}6520C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277929Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.230{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F3CD-62DF-BD04-000000006F02}6524C:\Windows\system32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277928Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.230{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F3CD-62DF-BD04-000000006F02}6524C:\Windows\system32\notepad.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277927Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.229{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-F3CD-62DF-BB04-000000006F02}6536C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277926Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.208{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3CC-62DF-B804-000000006F02}6520C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277925Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.208{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3CC-62DF-AD04-000000006F02}3400C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277924Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.208{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CD-62DF-BA04-000000006F02}4748C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277923Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.208{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CD-62DF-BA04-000000006F02}4748C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277922Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.208{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CD-62DF-BA04-000000006F02}4748C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277921Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.208{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CD-62DF-BA04-000000006F02}4748C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277920Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.208{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277919Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.208{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277918Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.208{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277917Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.208{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277916Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.208{F81F30E6-D9BA-62DF-8100-000000006F02}38884056C:\Windows\system32\csrss.exe{F81F30E6-F3CD-62DF-BD04-000000006F02}6524C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000277915Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.208{F81F30E6-F3CC-62DF-AE04-000000006F02}57163196C:\Windows\system32\cmd.exe{F81F30E6-F3CD-62DF-BD04-000000006F02}6524C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8564|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000277914Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.210{F81F30E6-F3CD-62DF-BD04-000000006F02}6524C:\Windows\System32\notepad.exe10.0.14393.4169 (rs1_release.210107-1130)NotepadMicrosoft® Windows® Operating SystemMicrosoft CorporationNOTEPAD.EXEnotepad.exe C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=BA78FCF8CA9D806C6C047357E31748DE,SHA256=34A07759492E31AEC2A009505FE8DFB50242375C4308AD4657B2872F4F75A077,IMPHASH=968239BE2020F1C0DAFFDCDBD49E9C82{F81F30E6-F3CC-62DF-AE04-000000006F02}5716C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" " 10341000x8000000000000000277913Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.208{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3CD-62DF-BD04-000000006F02}6524C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277912Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.193{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3CC-62DF-B504-000000006F02}3336C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277911Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.193{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-B104-000000006F02}6160C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277910Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.193{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-B104-000000006F02}6160C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277909Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.193{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-B104-000000006F02}6160C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277908Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.193{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-B104-000000006F02}6160C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277907Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.193{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3CC-62DF-AD04-000000006F02}3400C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277906Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.177{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3CC-62DF-B504-000000006F02}3336C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277905Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.177{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F3CD-62DF-BC04-000000006F02}7532C:\Windows\system32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277904Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.177{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F3CD-62DF-BC04-000000006F02}7532C:\Windows\system32\notepad.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277903Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.177{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-B804-000000006F02}6520C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277902Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.177{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-B804-000000006F02}6520C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277901Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.177{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-B804-000000006F02}6520C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277900Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.161{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-B804-000000006F02}6520C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277899Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.161{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277898Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.161{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277897Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.161{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277896Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.161{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277895Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.161{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-F3CC-62DF-B604-000000006F02}7216C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277894Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.146{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-AD04-000000006F02}3400C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277893Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.146{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-AD04-000000006F02}3400C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277892Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.146{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-AD04-000000006F02}3400C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277891Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.146{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-AD04-000000006F02}3400C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000277890Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.146{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B17013CD9505F500B03AC7A9F6C572C9,SHA256=CEA2E44B02A4A3183C2CA980F4F343F800C51785E41598D60EF19D72930B64AF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000277889Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.146{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277888Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.146{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277887Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.146{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277886Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.146{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277885Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.146{F81F30E6-D9BA-62DF-8100-000000006F02}38882172C:\Windows\system32\csrss.exe{F81F30E6-F3CD-62DF-BC04-000000006F02}7532C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000277884Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.146{F81F30E6-F3CC-62DF-AB04-000000006F02}71162544C:\Windows\system32\cmd.exe{F81F30E6-F3CD-62DF-BC04-000000006F02}7532C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8564|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000277883Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.148{F81F30E6-F3CD-62DF-BC04-000000006F02}7532C:\Windows\System32\notepad.exe10.0.14393.4169 (rs1_release.210107-1130)NotepadMicrosoft® Windows® Operating SystemMicrosoft CorporationNOTEPAD.EXEnotepad.exe C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=BA78FCF8CA9D806C6C047357E31748DE,SHA256=34A07759492E31AEC2A009505FE8DFB50242375C4308AD4657B2872F4F75A077,IMPHASH=968239BE2020F1C0DAFFDCDBD49E9C82{F81F30E6-F3CC-62DF-AB04-000000006F02}7116C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" " 10341000x8000000000000000277882Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.146{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3CD-62DF-BC04-000000006F02}7532C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277881Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.130{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3CC-62DF-A804-000000006F02}6924C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277880Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.130{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-AE04-000000006F02}5716C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277879Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.130{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-AE04-000000006F02}5716C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277878Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.130{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-AE04-000000006F02}5716C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277877Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.130{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3CC-62DF-B204-000000006F02}7228C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277876Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.130{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-AE04-000000006F02}5716C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277875Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.130{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277874Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.130{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277873Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.130{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277872Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.130{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277871Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.126{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-F3CC-62DF-B304-000000006F02}5212C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277870Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.126{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-B504-000000006F02}3336C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277869Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.126{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-B504-000000006F02}3336C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277868Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.126{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-B504-000000006F02}3336C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277867Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.126{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-B504-000000006F02}3336C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277866Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.108{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3CC-62DF-A804-000000006F02}6924C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277865Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.108{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3CC-62DF-B204-000000006F02}7228C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277864Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.093{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F3CD-62DF-BB04-000000006F02}6536C:\Windows\system32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277863Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.093{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F3CD-62DF-BB04-000000006F02}6536C:\Windows\system32\notepad.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277862Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.093{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F3CD-62DF-BA04-000000006F02}4748C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277861Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.093{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F3CD-62DF-BA04-000000006F02}4748C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277860Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.077{F81F30E6-F3CD-62DF-BA04-000000006F02}47485292C:\Windows\system32\conhost.exe{F81F30E6-F3CD-62DF-B904-000000006F02}8068C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000277859Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.062{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=332E3240FBD5B3E73CE85D1D01A1EE3E,SHA256=01AA95D2D301D73706FEF22C7F54CBE5B5AA1F9EF5E277802F14E14B043F826E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000277858Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.062{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3CC-62DF-AF04-000000006F02}7848C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277857Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.062{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277856Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.062{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277855Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.062{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277854Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.046{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277853Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.046{F81F30E6-D9BA-62DF-8100-000000006F02}38882172C:\Windows\system32\csrss.exe{F81F30E6-F3CD-62DF-BB04-000000006F02}6536C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000277852Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.046{F81F30E6-F3CC-62DF-A904-000000006F02}43166604C:\Windows\system32\cmd.exe{F81F30E6-F3CD-62DF-BB04-000000006F02}6536C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8564|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000277851Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.061{F81F30E6-F3CD-62DF-BB04-000000006F02}6536C:\Windows\System32\notepad.exe10.0.14393.4169 (rs1_release.210107-1130)NotepadMicrosoft® Windows® Operating SystemMicrosoft CorporationNOTEPAD.EXEnotepad.exe C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=BA78FCF8CA9D806C6C047357E31748DE,SHA256=34A07759492E31AEC2A009505FE8DFB50242375C4308AD4657B2872F4F75A077,IMPHASH=968239BE2020F1C0DAFFDCDBD49E9C82{F81F30E6-F3CC-62DF-A904-000000006F02}4316C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" " 10341000x8000000000000000277850Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.046{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3CD-62DF-BB04-000000006F02}6536C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277849Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.046{F81F30E6-D9BA-62DF-8100-000000006F02}38884056C:\Windows\system32\csrss.exe{F81F30E6-F3CD-62DF-BA04-000000006F02}4748C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000277848Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.046{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3CD-62DF-BA04-000000006F02}4748C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277847Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.046{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277846Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.046{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277845Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.046{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277844Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.046{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277843Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.046{F81F30E6-D9BA-62DF-8100-000000006F02}38884056C:\Windows\system32\csrss.exe{F81F30E6-F3CD-62DF-B904-000000006F02}8068C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000277842Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.046{F81F30E6-F163-62DF-1F04-000000006F02}22646308C:\Temp\dcrat.exe{F81F30E6-F3CD-62DF-B904-000000006F02}8068C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\System32\windows.storage.dll+16e7eb|C:\Windows\System32\windows.storage.dll+16e501|C:\Windows\System32\windows.storage.dll+16e14e|C:\Windows\System32\windows.storage.dll+16f3f0|C:\Windows\System32\windows.storage.dll+16de9e|C:\Windows\System32\windows.storage.dll+fce6d|C:\Windows\System32\windows.storage.dll+fd5ac|C:\Windows\System32\windows.storage.dll+fc910|C:\Windows\System32\shell32.dll+49cdf|C:\Windows\System32\shell32.dll+49b6c|C:\Windows\System32\shell32.dll+498bc|C:\Windows\System32\shell32.dll+10d2c7|C:\Windows\System32\shell32.dll+10d225|UNKNOWN(00007FF984B29B5F) 154100x8000000000000000277841Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.053{F81F30E6-F3CD-62DF-B904-000000006F02}8068C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" "C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe"C:\Temp\dcrat.exe" 10341000x8000000000000000277840Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.046{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3CD-62DF-B904-000000006F02}8068C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277839Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.046{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-A804-000000006F02}6924C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277838Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.046{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-A804-000000006F02}6924C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277837Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.046{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-A804-000000006F02}6924C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277836Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.046{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-A804-000000006F02}6924C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277835Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.025{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-B204-000000006F02}7228C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277834Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.025{F81F30E6-DE12-62DF-7B01-000000006F02}62606312C:\Users\Administrator\Downloads\dnSpy.exe{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00007FF972E3853B) 10341000x8000000000000000277833Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.025{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-B204-000000006F02}7228C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277832Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.025{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-B204-000000006F02}7228C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277831Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.025{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-B204-000000006F02}7228C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277830Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.024{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-AB04-000000006F02}7116C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277829Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.024{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-AB04-000000006F02}7116C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277828Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.009{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-AB04-000000006F02}7116C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277827Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.009{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-AB04-000000006F02}7116C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277826Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.009{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3CC-62DF-AF04-000000006F02}7848C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277825Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.009{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F3CC-62DF-B804-000000006F02}6520C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277824Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.009{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F3CC-62DF-B804-000000006F02}6520C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277823Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.009{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-F3CC-62DF-B004-000000006F02}4668C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277822Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.993{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F3CC-62DF-B604-000000006F02}7216C:\Windows\system32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277821Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.993{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F3CC-62DF-B604-000000006F02}7216C:\Windows\system32\notepad.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277820Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.993{F81F30E6-F3CC-62DF-B804-000000006F02}65207656C:\Windows\system32\conhost.exe{F81F30E6-F3CC-62DF-B704-000000006F02}6560C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000277819Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.993{F81F30E6-D98A-62DF-2E00-000000006F02}2780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=375770933B088FA1013E9C17F7ACFA9C,SHA256=12DC730ED0C3CEF15E2072F184E79ED116E6C7FEA32581084F03B1ADA228E22B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053293Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:01:50.355{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D3E5DB47EDBD62BD6E00DA26BB59FC4,SHA256=7C55B0F1252ABE8A5C147534ECBA95FBC6935CF690D576AC20FF4C02D3415FCA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000278111Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:50.544{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3A078EC301729A89F3262E3F37616D8,SHA256=A25BDDDE3EECDE4AEB5D630BA7A31D945FE862966A47648619DE5B89EAEA44D2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000278110Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.005{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local64958-false10.0.1.12-8089- 10341000x8000000000000000278109Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:50.326{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D97C-62DF-1400-000000006F02}1124C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278108Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:50.325{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D97C-62DF-1400-000000006F02}1124C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278107Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:50.325{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D97C-62DF-1400-000000006F02}1124C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000053294Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:01:51.449{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD9006276A851E7C83A3BD26F1AFB619,SHA256=656237587244320087FA0D4602EC64BFD1EF70BE7E41BC4C133A3720F06C7F96,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000278112Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:51.644{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5775AFC281C79AC34EE3F3FD5B8A54D1,SHA256=B1126DE326017D64AAC61CC7E161F4457D0DCDD595D2B776B50B49BBB5E19173,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053295Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:01:52.558{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=710A6E0B8E8D1436B94BFB6DE1F68FF0,SHA256=5AF01894F8403016877DCE48AEB7A67F4C6D9580029F4CB5E972BA5319AB3BAC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000278113Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:52.783{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62CE06839FE9C0E228E321BAA6D366B4,SHA256=9E1A1B2DA5C9E3D756BD6E215A3B783F6F02BB61D2161CF8DBAFE77E219AA4DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053296Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:01:53.652{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D933B005FC6E19B3F44D6BE7CEFA7844,SHA256=7E97A369A83A009DF105D010F56ECB22CAB8F5C635466C5B0B1F243BB95216CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000278117Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:53.881{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3E86C3C000BA017AEF4F97FB9B3F80D,SHA256=3470F872B119CBF81E5761A47C8F4A9C683FCA33B5EC13078D0F86F237722986,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000278116Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:51.037{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local64959-false10.0.1.12-8000- 10341000x8000000000000000278115Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:53.382{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278114Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:53.382{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000053297Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:01:54.746{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B405D6364241CFCE252BA46A1B0A272E,SHA256=91476BA5BF17284D213619D4DB9B5AB762D72018EDEFAE08C587217D6634CD2E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053299Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:01:55.840{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E893732A2AB76C83DAA676938E75869,SHA256=CD4AB21ED636E11099850B5044006A152DDD44675600B53A91A36846972ED0FC,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000053298Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:01:54.223{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal51028-false10.0.1.12-8000- 23542300x8000000000000000278118Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:55.012{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD703DD830F6C0F611526E355966BFC1,SHA256=DD07873AD3FCF7A0748F5BFF01FB30A1482DFDA6B06AB3488F908716E0D445CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053300Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:01:56.933{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7C9FE0E32F33D7AADC72E2667C7FF8F,SHA256=102479084683AEAFE9BF1F5426A0567EBE6F183DCEC0839A340DE6B3DEDDF855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000278123Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:56.448{F81F30E6-D9BD-62DF-9000-000000006F02}46884812C:\Windows\Explorer.EXE{F81F30E6-DAB4-62DF-BF00-000000006F02}2464C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+cf100|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9824|UNKNOWN(FFFFF80163E5BCD8)|UNKNOWN(FFFFF2A666167E08)|UNKNOWN(FFFFF2A666167F87)|UNKNOWN(FFFFF2A666162611)|UNKNOWN(FFFFF2A666163FDA)|UNKNOWN(FFFFF2A666162296)|UNKNOWN(FFFFF80163B71503)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+d296b|C:\Windows\System32\SHELL32.dll+11971a|C:\Windows\System32\SHCORE.dll+33fbd 10341000x8000000000000000278122Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:56.448{F81F30E6-D9BD-62DF-9000-000000006F02}46884812C:\Windows\Explorer.EXE{F81F30E6-DAB4-62DF-BF00-000000006F02}2464C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0f5|C:\Windows\System32\SHELL32.dll+cebe1|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9824|UNKNOWN(FFFFF80163E5BCD8)|UNKNOWN(FFFFF2A666167E08)|UNKNOWN(FFFFF2A666167F87)|UNKNOWN(FFFFF2A666162611)|UNKNOWN(FFFFF2A666163FDA)|UNKNOWN(FFFFF2A666162296)|UNKNOWN(FFFFF80163B71503)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+d296b|C:\Windows\System32\SHELL32.dll+11971a|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000278121Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:56.448{F81F30E6-DAB4-62DF-BF00-000000006F02}2464ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RF66f80b.TMPMD5=916C2D93B58C5CBAC8AC3098A059BFC5,SHA256=55953AB8F4BC753693EBC3ACF5A7C00D704055829032829763C3617710DD9C9E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000278120Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:56.428{F81F30E6-DAB4-62DF-BF00-000000006F02}2464ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\e57grxtg.default-release\datareporting\aborted-session-pingMD5=584D5F96DD30DE58A1219FCA89FB4F11,SHA256=C76D157142E28131F3FCF81F97167A99DB85FC8DCE313BF3DFA6DF27013F34AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000278119Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:56.064{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4462653B8BACDAAE25F56F244D27ED22,SHA256=33BCCD9B0C754F6EF0A85F8D77889294B7ACC7C643428E8C71234E2273997E8D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000278125Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:57.394{F81F30E6-DAB4-62DF-BF00-000000006F02}2464ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\e57grxtg.default-release\datareporting\glean\db\data.safe.binMD5=7B37D23C0EAC1D88C8C34B5BC6480FC5,SHA256=4FE4DCBB4B89D722AEC92CB2C236ECA859B1606C9D7733E9AC2324F5362B1D2E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000278124Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:57.094{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1B699782792EA2C1F8C7D2013141847,SHA256=7A261A24BFBD92F40C15CBB279702673282921596899991B9D68E8B342D9BF66,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053301Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:01:58.027{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D86B11960781BD51D180E1BD7A069C67,SHA256=52FAE7780C75FFF910731AAAC92C5ACB8B1663242F0E7CC112868C87BEB46653,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000278127Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:56.041{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local64960-false10.0.1.12-8000- 23542300x8000000000000000278126Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:58.193{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75E4E251130618496B5EFBD5FC7031F7,SHA256=CC527006979D73C5E7C87A608EF2B27DB8DBAD764AC2928EB021265CD96A6130,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053302Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:01:59.121{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9DD0C39DB1939809CA52E9A3D8399320,SHA256=D9186155C31A2E68F4155EDADD60F1180239E88B82F0CDA11E7293C6A238298B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000278128Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:59.226{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94592D9E50DDA311F7BCB26DC4875746,SHA256=D9A8112DA4B066913247B87DD074F07DAB4921106893837292464AF6C733BB52,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000278129Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:00.325{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50E5ADA1085CDCD240531DDF83076C82,SHA256=1D6E431CFF2856424D2CEB2F0E6C18B56139D8F0DE59DE1D01D7167A03232F1D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053303Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:00.215{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C56CCFE8FDB9211862A24A530614457,SHA256=B8C5CC470AC6DF9FBCE5BBE09CB2DEFF9A61B326F965BCC3AB59658C2ED59917,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000278131Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:01.445{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8427640B4DF5D0F9F8623C7595A7277,SHA256=FE7A34B42E41947270C84BDD39CD7AF3C958B051FB6202A2D5BF68DC4FD46161,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000278130Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:01.345{F81F30E6-D98A-62DF-2E00-000000006F02}2780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=6A929628F37CF38CC47CBE83CD06FB7A,SHA256=91F5D2B73795D0B93AE7C4934BEF5D8539BA75A3EC90EB6B87780016EA8023AC,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000053305Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:00.177{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal51029-false10.0.1.12-8000- 23542300x800000000000000053304Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:01.308{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B78A83400F4D4AB2829175B479FD7E7E,SHA256=7DB0691793FDEBCF0ACE32CE2A21CA505786050DEA39D026E4F8571AF831D50B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000278132Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:02.475{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC805D9C96042720F80B373AD43C9415,SHA256=BE4AED077D8F30D673CB0036B7D04E4C19376E0E5BB32FE3B95757412D97A4D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053306Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:02.402{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9ADB2D434C86DC17696C68CCCF5A5506,SHA256=11C4157E1D267009163DBEC952BE16E5DFC539788FE6C0C440B4D1B25FE6ADCA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053307Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:03.496{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8EA8EC6CB640CE9CAD35287D44F3350,SHA256=BC044935040C24159B2FF213C2DE97D1AC4D4033556181BB3AEB0629FEA47462,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000278135Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:03.777{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=11C276117F01579D623CD5C42AB79E1E,SHA256=09AA8B6E24D4207392933C09333FE951E6514C33AA927490DC40DC1C2E177018,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000278134Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:03.606{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23B871CC8300220085B9FFCD91127B6E,SHA256=5AF8B99548D58BD46236D0BAA635C7894587ADDEB2EB42A5FBF12366F763084C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000278133Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:01.219{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local64961-false10.0.1.12-8000- 23542300x800000000000000053308Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:04.590{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0F0C789915DC3977DF50E9269C15945,SHA256=E65744B6F54C091EDF42DB59D208832A3FCDDB6F53B2058F7C08909439452A8B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000278138Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:01.718{F81F30E6-D97A-62DF-0B00-000000006F02}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local64962-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local389ldap 354300x8000000000000000278137Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:01.718{F81F30E6-D98A-62DF-2600-000000006F02}2568C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local64962-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local389ldap 23542300x8000000000000000278136Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:04.594{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97DA17D6BDEBB421C691F80078F37BAC,SHA256=A0F3B4D6C2C6A258D4B1B650D3774FE4F8CF6EB81F7DBDE943D77AE412F6D0CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053309Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:05.683{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78C162010F3C067A6BB7F1520DAFE29D,SHA256=9D05FF6FCAB97BE81C61470EE63FFDEB3BCF6182D03FDE166B390F73A1A53A8C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000278139Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:05.626{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FBF2F3D5FF4EB3AF0BCA2BE1C4744AF7,SHA256=9580218DE68354E1AB117E28612818BDE35FE09450682D91A8F21872035FA12A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053310Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:06.777{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6DCBB94D5405A32487B5B8E1449A0651,SHA256=FE41259BDB5A4327892E10618AA2E68B652F6513E0C8591E6A46B94BF2C8144B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000278140Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:06.668{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50253AD917B03DE9077948B9377CAC17,SHA256=31FE634510DDBC1D8B55131EF054995EE55654BBC8B61B93364497996B892E09,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053312Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:07.871{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=604320F66E474F70DFDE6CFE7F7C6C90,SHA256=A88DD06601B276C384C4D601626473C06189B872EA55663A8D834FEFB053B581,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000053311Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:06.114{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal51030-false10.0.1.12-8000- 23542300x8000000000000000278141Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:07.713{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DEF6F8D09F787DD5C71B7006D0DAC6C0,SHA256=D4ECD4CB1E8C1FBBC189404CBDFA4B22AE4A8B626198E36B78FB41863A744F9C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053313Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:08.965{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60F217C28C2BC06B625249B228610A1B,SHA256=EC4EC8218E4529690AF1925D0ACB730CAC9DC499B4FF7662BCC85A2281B8EE95,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000278150Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:08.839{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC04A56DB2499CAEB762B6FE98A4790D,SHA256=EC4D79EAAC77405AD296CDDBED7BF4DE2A1AD888825FE6A1EE0750A223CC0D1F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000278149Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:08.557{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-DA3F-62DF-B800-000000006F02}4908C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278148Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:08.557{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-DA3F-62DF-B800-000000006F02}4908C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278147Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:08.557{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-DA3F-62DF-B800-000000006F02}4908C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278146Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:08.557{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-DA3F-62DF-B800-000000006F02}4908C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278145Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:08.557{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DA3F-62DF-B800-000000006F02}4908C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278144Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:08.557{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DA3F-62DF-B800-000000006F02}4908C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278143Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:08.557{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DA3F-62DF-B800-000000006F02}4908C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278142Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:08.557{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DA3F-62DF-B800-000000006F02}4908C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000278152Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:09.974{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D538CFA391D05A4EE7ED3AE667579F07,SHA256=85C8CB0CD2D9F7C199F0EBAAF8C30E007BA5C73CD6284018A89E9D34D7A9ABED,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000278151Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:07.215{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local64963-false10.0.1.12-8000- 23542300x800000000000000053314Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:10.058{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C527A1D5E78A4843E5EBED76A9F552FC,SHA256=1CD8BC12D1677EF16459CDF10FCA2FA79094D0690A245BBA1A0D533563A44E9B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053315Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:11.152{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC27A3F9F5FD58046051FB1C2B4BD402,SHA256=B4EB1CD6144B20182EA995C1B189D90DDC2CDF3DBF79691A7FED4F2EB6F6FD34,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000278153Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:11.020{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16BE293AAD0717F58C3C2EE9AC84D245,SHA256=EACF7CADA51F1523B3309A8A102838A717866F031FD1C55775D56CB2EEA637C4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000053344Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:12.918{53069400-F3E4-62DF-8E03-000000007002}10524028C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053343Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:12.746{53069400-D97E-62DF-2900-000000007002}27802800C:\Windows\system32\conhost.exe{53069400-F3E4-62DF-8E03-000000007002}1052C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053342Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:12.746{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053341Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:12.746{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053340Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:12.746{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053339Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:12.746{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053338Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:12.746{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053337Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:12.746{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053336Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:12.746{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053335Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:12.746{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053334Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:12.746{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053333Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:12.746{53069400-D97C-62DF-0500-000000007002}412428C:\Windows\system32\csrss.exe{53069400-F3E4-62DF-8E03-000000007002}1052C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000053332Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:12.746{53069400-D97D-62DF-1E00-000000007002}19402768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53069400-F3E4-62DF-8E03-000000007002}1052C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000053331Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:12.747{53069400-F3E4-62DF-8E03-000000007002}1052C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53069400-D97C-62DF-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000053330Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:12.371{53069400-F3E4-62DF-8D03-000000007002}656288C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000053329Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:12.246{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7AFB8970FAF4FF231A9EAEA546A8F27,SHA256=0EC1E217BECDEAA5A152C979CA56DB589C2BA5A694D22C1CA84574090757865D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000053328Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:12.183{53069400-D97E-62DF-2900-000000007002}27802800C:\Windows\system32\conhost.exe{53069400-F3E4-62DF-8D03-000000007002}656C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053327Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:12.183{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053326Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:12.183{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053325Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:12.183{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053324Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:12.183{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053323Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:12.183{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053322Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:12.183{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053321Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:12.183{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053320Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:12.183{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053319Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:12.183{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053318Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:12.183{53069400-D97C-62DF-0500-000000007002}412540C:\Windows\system32\csrss.exe{53069400-F3E4-62DF-8D03-000000007002}656C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000053317Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:12.183{53069400-D97D-62DF-1E00-000000007002}19402768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53069400-F3E4-62DF-8D03-000000007002}656C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000053316Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:12.184{53069400-F3E4-62DF-8D03-000000007002}656C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53069400-D97C-62DF-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000278154Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:12.056{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6740A9C99DB25043E6A115649125F0E8,SHA256=EE5D143D37DF958AA42EFC9BB55C333E4579EE4D1596ACF5E9ADCB0D73391AB8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000053373Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:13.871{53069400-D97E-62DF-2900-000000007002}27802800C:\Windows\system32\conhost.exe{53069400-F3E5-62DF-9003-000000007002}3336C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053372Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:13.871{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053371Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:13.871{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053370Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:13.871{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053369Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:13.871{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053368Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:13.871{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053367Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:13.871{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053366Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:13.871{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053365Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:13.871{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053364Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:13.871{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053363Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:13.871{53069400-D97C-62DF-0500-000000007002}412428C:\Windows\system32\csrss.exe{53069400-F3E5-62DF-9003-000000007002}3336C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000053362Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:13.871{53069400-D97D-62DF-1E00-000000007002}19402768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53069400-F3E5-62DF-9003-000000007002}3336C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000053361Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:13.872{53069400-F3E5-62DF-9003-000000007002}3336C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{53069400-D97C-62DF-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000053360Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:13.511{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45C07FEBB43CA1C2B5A7DE725776B1F3,SHA256=C851584E7FB3F8A1539E1D2CDCDA30AF4BDD1D68E7F69A5EBC245AEEC70384FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000278155Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:13.101{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7FD7833826DC849FEF00A1253DF3799,SHA256=B84E105850F87A7D3C67A4BAFC651CD804CBEC017C03DC4DA030B7602D541610,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000053359Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:13.371{53069400-D97E-62DF-2900-000000007002}27802800C:\Windows\system32\conhost.exe{53069400-F3E5-62DF-8F03-000000007002}2444C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053358Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:13.371{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053357Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:13.371{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053356Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:13.371{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053355Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:13.371{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053354Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:13.371{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053353Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:13.371{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053352Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:13.371{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053351Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:13.371{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053350Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:13.371{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053349Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:13.371{53069400-D97C-62DF-0500-000000007002}412428C:\Windows\system32\csrss.exe{53069400-F3E5-62DF-8F03-000000007002}2444C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000053348Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:13.371{53069400-D97D-62DF-1E00-000000007002}19402768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53069400-F3E5-62DF-8F03-000000007002}2444C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000053347Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:13.372{53069400-F3E5-62DF-8F03-000000007002}2444C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53069400-D97C-62DF-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000053346Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:13.246{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EB3A5CCABEFD89ABA2A041F68C21DF2C,SHA256=EEAAAA745E15848D430603B54ED5BF8FA1A1A6EDD21ADD5D62F5E03C18E7AC03,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000053345Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:11.333{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal51031-false10.0.1.12-8000- 23542300x800000000000000053388Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:14.652{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D17BC50FA381B5489A37761D86C63DB,SHA256=ED5557519D585D77E747B3E41B4B348E4544315923E6F1CF089B37B50BC9E203,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000278156Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:14.155{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3BF154A21EF915161BC91BF2B26E1A0D,SHA256=FDE2635449CCAE858A51702DB6401A9064D12BE6B1BFB76373698C98E0D0CF2D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000053387Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:14.511{53069400-D97E-62DF-2900-000000007002}27802800C:\Windows\system32\conhost.exe{53069400-F3E6-62DF-9103-000000007002}2504C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053386Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:14.511{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053385Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:14.511{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053384Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:14.511{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053383Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:14.511{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053382Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:14.511{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053381Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:14.511{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053380Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:14.511{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053379Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:14.511{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053378Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:14.511{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053377Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:14.511{53069400-D97C-62DF-0500-000000007002}412428C:\Windows\system32\csrss.exe{53069400-F3E6-62DF-9103-000000007002}2504C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000053376Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:14.511{53069400-D97D-62DF-1E00-000000007002}19402768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53069400-F3E6-62DF-9103-000000007002}2504C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000053375Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:14.512{53069400-F3E6-62DF-9103-000000007002}2504C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53069400-D97C-62DF-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000053374Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:14.012{53069400-F3E5-62DF-9003-000000007002}33363624C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053416Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:15.793{53069400-D97E-62DF-2900-000000007002}27802800C:\Windows\system32\conhost.exe{53069400-F3E7-62DF-9303-000000007002}1996C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053415Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:15.793{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053414Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:15.793{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053413Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:15.793{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053412Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:15.793{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053411Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:15.793{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053410Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:15.793{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053409Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:15.793{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053408Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:15.793{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053407Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:15.793{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053406Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:15.793{53069400-D97C-62DF-0500-000000007002}412428C:\Windows\system32\csrss.exe{53069400-F3E7-62DF-9303-000000007002}1996C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000053405Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:15.793{53069400-D97D-62DF-1E00-000000007002}19402768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53069400-F3E7-62DF-9303-000000007002}1996C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000053404Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:15.794{53069400-F3E7-62DF-9303-000000007002}1996C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53069400-D97C-62DF-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000053403Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:15.668{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC0ADA6F59852D2CE8A9D3E3FCAA00DD,SHA256=ABF95E6BF2B407CF6F55D392EA072512E5C0A7135744F660B342DE0F53B62BA9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000278158Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:13.167{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local64964-false10.0.1.12-8000- 23542300x8000000000000000278157Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:15.200{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0399AB257215AB22D9B1E713D642D211,SHA256=392C64CDFFA6F5F41891995AEF724A5B98C028E475DC4428731587C3924DCA18,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000053402Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:15.293{53069400-F3E7-62DF-9203-000000007002}37643940C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053401Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:15.136{53069400-D97E-62DF-2900-000000007002}27802800C:\Windows\system32\conhost.exe{53069400-F3E7-62DF-9203-000000007002}3764C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053400Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:15.136{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053399Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:15.136{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053398Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:15.136{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053397Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:15.136{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053396Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:15.136{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053395Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:15.136{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053394Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:15.136{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053393Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:15.136{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053392Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:15.136{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053391Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:15.136{53069400-D97C-62DF-0500-000000007002}412428C:\Windows\system32\csrss.exe{53069400-F3E7-62DF-9203-000000007002}3764C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000053390Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:15.136{53069400-D97D-62DF-1E00-000000007002}19402768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53069400-F3E7-62DF-9203-000000007002}3764C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000053389Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:15.137{53069400-F3E7-62DF-9203-000000007002}3764C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53069400-D97C-62DF-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000053418Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:16.871{53069400-D97D-62DF-1E00-000000007002}1940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=A337A82AD01F186E271F8277D5763F09,SHA256=64AAEDC42B628DA9F655497ABDB331431393BEE07E5EED2FD1AD43C24B0D6B42,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053417Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:16.761{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46D8BD6E44C96E0FD339B4B819930635,SHA256=160A81EB3B7B2445C40813502C9FFDB799947B887713444A2FC7CEC6637EF1B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000278159Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:16.255{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4EAAA1CF1AF5293C4822A54A2BCC31B8,SHA256=261A98B7402F2BDE8009252448EB4A97989AB695BA88D494ABD70EEA9CB9D6A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053419Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:17.855{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB8F82ED16AE953C316E1AF987948791,SHA256=AB6C4E2991D8BA7DC96C4F973F4BA39C4E8C1A1484F3000C7AF37A75459A9413,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000278160Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:17.285{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74E383BD41954DF4AAF57EC12D995DB6,SHA256=5DCC9BBC4BBC06E9BCA2E59CB76B79583F639C6B139FB5567E70330155E368ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053420Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:18.949{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4CDD34EDBFEB49DD676938D3B020F49,SHA256=1CA001C1F0DE339E2D47850B820162EB4C4D2B6A7AF069A005D6F807DDA053F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000278161Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:18.333{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB8401AB64F693454EDF007D5F8B2FB2,SHA256=E3DEED04865197A115409B793D243D3BFD4AA6A8236CC976646237CE2E4719F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000278162Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:19.433{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C55BF5D78F5F51EFA1A32E4695C153B,SHA256=E88F2DB93A84A31BFBE6614D43DBC384166767876DC7331676CC7E4F851462CA,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000053421Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:17.255{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal51032-false10.0.1.12-8000- 23542300x800000000000000053422Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:20.043{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3E9D43F4051F6CFB12685763B679612,SHA256=BE7E109E251C0D7F2F3C8C0BFBA1FA8849DFEE6F7E108F4EC2B2AD7A608189FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000278163Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:20.467{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89F27EFA5626792182CE5BA9F5F5B21A,SHA256=660D632A6552FF1D6C3C04CB155BC1C83BD1C6E50DE470302A0ECA47BC09FEC6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000278165Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:19.095{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local64965-false10.0.1.12-8000- 23542300x8000000000000000278164Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:21.513{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E68B302A97EC3DF53FD9746F1058DEF0,SHA256=8D5B24F0A4537584F847A03FCC63B89097AA957F96568495174DF0C98236ABF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053423Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:21.136{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E3B9B702593859C91D04963E5DDB127,SHA256=F16FFD680C5CDC3E1D4370E6AF3867FA5503C1EDF658BB4BFE790ABDD90DE9FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000278166Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:22.550{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9D984FD12D8E74125B8E79B3674DAA5,SHA256=F34E8565050E967A1FFCD5EFA3FDF53F6FE67AEBAF44FAB5B131524D1544C775,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053425Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:22.639{53069400-D97D-62DF-1C00-000000007002}1896NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0923b0b66bc46ec04\channels\health\respondent-20220726120936-109MD5=F10909D358012860607A88999540BE61,SHA256=618099B8C52552D13629F748BAC7127C20F9D45615160D64360388A771E36D7B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053424Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:22.230{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=230A487534FFF82E28FC6EC8534AD0F0,SHA256=DD50EE09FC430ACD67436DA445A4F3B1647CC859450226BF58426608A10F1F62,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000278167Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:23.580{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7FE6AFD54207A23BEB1DA6BA25B1C53,SHA256=3648E9EAFCAA5B3D1A2C1EB6246F3730A1D975F69D3E7C568CF6C6D3796FEA63,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053427Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:23.651{53069400-D97D-62DF-1C00-000000007002}1896NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0923b0b66bc46ec04\channels\health\surveyor-20220726120934-110MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053426Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:23.323{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5059ADC98D22DDDE06FA55A4BB56463E,SHA256=83575CC88F0D185C8A67AB7BDD5CACA643E27EC946980D894D3D6D5E29775D41,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000278168Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:24.628{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4DFB85AC53A714817E562C442AF4823B,SHA256=7DCEE76BC0572ED59E9243F0A8E7B5F29476CA6A3E2780E405A5CA4E18029EBE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053428Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:24.418{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC7C48742C843F1D7E5C02DDAE6D212B,SHA256=1BDEB675B1D964042B8135EB9D6B0375C5887EE2AED48B3F17A60B375A3C45F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000278169Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:25.663{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9266AA328D2721C043D6C178FD0D2E10,SHA256=5D5D49947796A0B3B7E2D7244FC17A37309AE33D4E7F2920EEE4F2C10EB40C99,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053430Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:25.512{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90B13381959014CDD48132BDA78D181F,SHA256=5022339BC86DA47943C3814C702219327CDCDA0F08BBBF58EEF47FD165621806,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000053429Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:23.144{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal51033-false10.0.1.12-8000- 23542300x800000000000000053431Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:26.606{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA676CC876E65980987CBEDC6AD08516,SHA256=2D63D015E6BAC20648D8347BCA5D34CD9E99CF9E54C99D92F4DC42CAF2674DFB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000278178Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:26.779{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B5568105FBC03C9DD3E9F74BC13AC23,SHA256=671BCD7280CFDDAE3097146EEF6A6344B3DD60A9D5736165649FF31441896687,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000278177Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:26.278{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278176Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:26.278{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278175Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:26.278{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278174Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:26.278{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278173Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:26.278{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278172Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:26.262{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278171Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:26.262{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278170Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:26.262{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000053432Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:27.699{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A86198BE85EBF10CFBC34135483F0DA2,SHA256=C8E92FFCA70796E500F1FD275692750DE711E4982788C797757131C3643DD778,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000278180Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:27.795{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED2DF2A4AE4EC2CCD945CE27F03241DB,SHA256=168D1C4646651804D2FA7DC540F3217D863E9C467A54456DB5745BB8911B2BB6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000278179Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:24.190{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local64966-false10.0.1.12-8000- 23542300x800000000000000053433Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:28.793{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CAC09E33615F11A5DED1EDE149B83EEA,SHA256=89C61CAAAD668CB34ECDA7E26976F917EE8A456AA896D52450C5DF354CF06A67,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000278241Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:28.964{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=077BBE2EF5DCCA9575187EDFF2E921AD,SHA256=12AF2A5ED9BDF3D2E1E3218D6877C7CCD99541DECE85B55FD55DE05306A71470,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000278240Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:28.763{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-F3F4-62DF-C404-000000006F02}8188C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278239Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:28.763{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-F3F4-62DF-C404-000000006F02}8188C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278238Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:28.763{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-F3F4-62DF-C404-000000006F02}8188C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278237Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:28.763{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3F4-62DF-C404-000000006F02}8188C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278236Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:28.763{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3F4-62DF-C404-000000006F02}8188C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278235Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:28.763{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-F3F4-62DF-C404-000000006F02}8188C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278234Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:28.747{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3F4-62DF-C404-000000006F02}8188C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278233Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:28.747{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3F4-62DF-C404-000000006F02}8188C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278232Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:28.747{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3F4-62DF-C404-000000006F02}8188C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278231Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:28.747{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3F4-62DF-C404-000000006F02}8188C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278230Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:28.747{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3F4-62DF-C404-000000006F02}8188C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278229Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:28.747{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3F4-62DF-C404-000000006F02}8188C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278228Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:28.747{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3F4-62DF-C404-000000006F02}8188C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278227Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:28.747{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3F4-62DF-C404-000000006F02}8188C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278226Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:28.732{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278225Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:28.732{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278224Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:28.732{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278223Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:28.732{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278222Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:28.732{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278221Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:28.732{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278220Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:28.732{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278219Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:28.732{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278218Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:28.732{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-F3F4-62DF-C404-000000006F02}8188C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278217Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:28.725{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F3F4-62DF-C404-000000006F02}8188C:\Windows\system32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278216Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:28.725{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F3F4-62DF-C404-000000006F02}8188C:\Windows\system32\notepad.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278215Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:28.694{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278214Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:28.694{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278213Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:28.694{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278212Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:28.694{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278211Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:28.694{F81F30E6-D9BA-62DF-8100-000000006F02}38884516C:\Windows\system32\csrss.exe{F81F30E6-F3F4-62DF-C404-000000006F02}8188C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000278210Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:28.694{F81F30E6-F3F4-62DF-C204-000000006F02}81807160C:\Windows\system32\cmd.exe{F81F30E6-F3F4-62DF-C404-000000006F02}8188C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8564|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278209Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:28.694{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3F4-62DF-C404-000000006F02}8188C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000278208Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:28.708{F81F30E6-F3F4-62DF-C404-000000006F02}8188C:\Windows\System32\notepad.exe10.0.14393.4169 (rs1_release.210107-1130)NotepadMicrosoft® Windows® Operating SystemMicrosoft CorporationNOTEPAD.EXEnotepad.exe C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=BA78FCF8CA9D806C6C047357E31748DE,SHA256=34A07759492E31AEC2A009505FE8DFB50242375C4308AD4657B2872F4F75A077,IMPHASH=968239BE2020F1C0DAFFDCDBD49E9C82{F81F30E6-F3F4-62DF-C204-000000006F02}8180C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" " 10341000x8000000000000000278207Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:28.694{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-F3F4-62DF-C204-000000006F02}8180C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278206Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:28.694{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-F3F4-62DF-C204-000000006F02}8180C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278205Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:28.694{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-F3F4-62DF-C204-000000006F02}8180C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278204Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:28.694{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3F4-62DF-C304-000000006F02}5820C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278203Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:28.694{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3F4-62DF-C304-000000006F02}5820C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278202Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:28.679{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-F3F4-62DF-C204-000000006F02}8180C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278201Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:28.679{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3F4-62DF-C204-000000006F02}8180C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278200Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:28.679{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3F4-62DF-C204-000000006F02}8180C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278199Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:28.679{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3F4-62DF-C204-000000006F02}8180C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278198Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:28.679{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3F4-62DF-C204-000000006F02}8180C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278197Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:28.679{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3F4-62DF-C304-000000006F02}5820C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278196Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:28.679{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3F4-62DF-C304-000000006F02}5820C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278195Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:28.679{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3F4-62DF-C304-000000006F02}5820C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278194Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:28.679{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3F4-62DF-C304-000000006F02}5820C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278193Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:28.663{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F3F4-62DF-C304-000000006F02}5820C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278192Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:28.663{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F3F4-62DF-C304-000000006F02}5820C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278191Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:28.663{F81F30E6-F3F4-62DF-C304-000000006F02}58204968C:\Windows\system32\conhost.exe{F81F30E6-F3F4-62DF-C204-000000006F02}8180C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278190Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:28.663{F81F30E6-D9BA-62DF-8100-000000006F02}38884056C:\Windows\system32\csrss.exe{F81F30E6-F3F4-62DF-C304-000000006F02}5820C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000278189Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:28.647{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3F4-62DF-C304-000000006F02}5820C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278188Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:28.647{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278187Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:28.647{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278186Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:28.647{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278185Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:28.647{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278184Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:28.647{F81F30E6-D9BA-62DF-8100-000000006F02}38882172C:\Windows\system32\csrss.exe{F81F30E6-F3F4-62DF-C204-000000006F02}8180C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000278183Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:28.647{F81F30E6-F163-62DF-1F04-000000006F02}22643024C:\Temp\dcrat.exe{F81F30E6-F3F4-62DF-C204-000000006F02}8180C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\System32\windows.storage.dll+16e7eb|C:\Windows\System32\windows.storage.dll+16e501|C:\Windows\System32\windows.storage.dll+16e14e|C:\Windows\System32\windows.storage.dll+16f3f0|C:\Windows\System32\windows.storage.dll+16de9e|C:\Windows\System32\windows.storage.dll+fce6d|C:\Windows\System32\windows.storage.dll+fd5ac|C:\Windows\System32\windows.storage.dll+fc910|C:\Windows\System32\shell32.dll+49cdf|C:\Windows\System32\shell32.dll+49b6c|C:\Windows\System32\shell32.dll+498bc|C:\Windows\System32\shell32.dll+10d2c7|C:\Windows\System32\shell32.dll+10d225|UNKNOWN(00007FF984B29B5F) 154100x8000000000000000278182Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:28.659{F81F30E6-F3F4-62DF-C204-000000006F02}8180C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" "C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe"C:\Temp\dcrat.exe" 10341000x8000000000000000278181Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:28.647{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3F4-62DF-C204-000000006F02}8180C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000053434Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:29.887{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79CE84AC81448A035178CA8264B7171E,SHA256=070012C7A1223255D445B3F1ADCA8423597E76E0517743977F786B896211CC6A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000278244Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:29.850{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278243Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:29.850{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000278242Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:29.712{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5497675E4256637248AC4C32944B4BF6,SHA256=AEE36CF6EA39D8DFC2BC57AC56E82C241DB46720C62F47CF64C940F4F0E937A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053436Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:30.981{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6175C9DC77CD87A726462A3833C457C8,SHA256=B3FC716ADA551D02A90AC8EFF741CC36D75D145D7DDCF49698C80C28E1DB2EE0,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000053435Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:28.208{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal51034-false10.0.1.12-8000- 10341000x8000000000000000278257Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:30.580{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278256Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:30.580{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278255Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:30.580{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278254Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:30.580{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278253Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:30.565{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278252Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:30.565{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278251Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:30.565{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278250Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:30.565{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278249Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:30.249{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278248Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:30.249{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278247Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:30.234{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278246Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:30.234{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000278245Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:30.012{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3FD0C3A60753557C792335263A965692,SHA256=62EF5ECF6636BFAE7903497F07080C377ACC30A40E5EEFE36BAF5808082143C9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000278261Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:31.894{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278260Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:31.894{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000278259Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:31.663{F81F30E6-D98A-62DF-2E00-000000006F02}2780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=B1856292E6834D556F4B1FBDE93E45C9,SHA256=0EA511CCCB117E1A9981C0132981C6DB64E7CABC251128F89AD97AD8A2CE094D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000278258Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:31.064{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8C29427DEB6FA0382DA5A44A94A485E,SHA256=CA40BAD5B862F12B59B731E01858D79BB698CC11ACFCAB46C937161819EEE5A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053437Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:32.074{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF3CC33AE435A9B94D2BCD5F8A6ED9EA,SHA256=2642DB76A60EEBE3E19901FDD1518D748557A7E6FBE09B56C40B3F55994490FC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000278283Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:32.928{F81F30E6-D98B-62DF-3600-000000006F02}31323152C:\Windows\system32\conhost.exe{F81F30E6-F3F8-62DF-C604-000000006F02}3084C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278282Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:32.927{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278281Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:32.927{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278280Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:32.927{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278279Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:32.926{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278278Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:32.926{F81F30E6-D97A-62DF-0500-000000006F02}412428C:\Windows\system32\csrss.exe{F81F30E6-F3F8-62DF-C604-000000006F02}3084C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000278277Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:32.926{F81F30E6-D98A-62DF-2E00-000000006F02}27803956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F81F30E6-F3F8-62DF-C604-000000006F02}3084C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000278276Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:32.925{F81F30E6-F3F8-62DF-C604-000000006F02}3084C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F81F30E6-D97A-62DF-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000278275Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:32.693{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278274Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:32.693{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278273Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:32.478{F81F30E6-F3F8-62DF-C504-000000006F02}76727768C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278272Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:32.263{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278271Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:32.263{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278270Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:32.247{F81F30E6-D98B-62DF-3600-000000006F02}31323152C:\Windows\system32\conhost.exe{F81F30E6-F3F8-62DF-C504-000000006F02}7672C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278269Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:32.247{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278268Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:32.247{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278267Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:32.247{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278266Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:32.247{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278265Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:32.247{F81F30E6-D97A-62DF-0500-000000006F02}412540C:\Windows\system32\csrss.exe{F81F30E6-F3F8-62DF-C504-000000006F02}7672C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000278264Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:32.247{F81F30E6-D98A-62DF-2E00-000000006F02}27803956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F81F30E6-F3F8-62DF-C504-000000006F02}7672C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000278263Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:32.248{F81F30E6-F3F8-62DF-C504-000000006F02}7672C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{F81F30E6-D97A-62DF-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000278262Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:32.110{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF58F043CEEC5F840D083DFB6EB58D96,SHA256=6664419A5ED18CF6BC26406193D30673E9846BEDB67233A4AF950CCB2AD75432,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053438Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:33.168{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CCA1ACB968CF3099A22C48EB312C778E,SHA256=A85F168F424679FC1A72B66C7B19FCC4C0ACBB71B67016BF8C01BD74F2F5D9BE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000278294Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:33.462{F81F30E6-D98B-62DF-3600-000000006F02}31323152C:\Windows\system32\conhost.exe{F81F30E6-F3F9-62DF-C704-000000006F02}7356C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278293Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:33.462{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278292Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:33.462{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278291Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:33.462{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278290Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:33.462{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278289Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:33.462{F81F30E6-D97A-62DF-0500-000000006F02}41292C:\Windows\system32\csrss.exe{F81F30E6-F3F9-62DF-C704-000000006F02}7356C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000278288Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:33.462{F81F30E6-D98A-62DF-2E00-000000006F02}27803956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F81F30E6-F3F9-62DF-C704-000000006F02}7356C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000278287Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:33.464{F81F30E6-F3F9-62DF-C704-000000006F02}7356C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F81F30E6-D97A-62DF-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000278286Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:33.150{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D45B123125A94230F7A56224528DB7E,SHA256=9A2C5C0136EE11AC3C7B23A38A514C301FB81B44DF1CFE996DF2CE0D19C6169D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000278285Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:33.150{F81F30E6-F3F8-62DF-C604-000000006F02}30848168C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000278284Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:30.078{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local64967-false10.0.1.12-8000- 354300x800000000000000053441Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:33.239{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal51035-false10.0.1.12-8000- 23542300x800000000000000053440Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:34.262{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E54459C94FEB6913E517A660361985B0,SHA256=F4CA2F7A7D605E06304CD208D349B2ACC55569B87631D3A95FAEC0212A537794,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000278817Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.992{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3FA-62DF-F404-000000006F02}8780C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278816Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.992{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3FA-62DF-EA04-000000006F02}8468C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278815Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.977{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-ED04-000000006F02}8548C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278814Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.977{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-ED04-000000006F02}8548C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278813Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.977{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-ED04-000000006F02}8548C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278812Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.977{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-ED04-000000006F02}8548C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278811Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.961{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-F3FA-62DF-EB04-000000006F02}8508C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278810Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.961{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3FA-62DF-EA04-000000006F02}8468C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278809Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.961{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F3FA-62DF-F304-000000006F02}8724C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278808Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.961{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F3FA-62DF-F304-000000006F02}8724C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278807Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.961{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-E104-000000006F02}8224C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278806Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.961{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-E104-000000006F02}8224C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278805Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.961{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-E104-000000006F02}8224C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278804Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.961{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-E104-000000006F02}8224C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278803Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.946{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3FA-62DF-DE04-000000006F02}2984C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278802Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.946{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F3FA-62DF-F104-000000006F02}8692C:\Windows\system32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278801Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.946{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F3FA-62DF-F104-000000006F02}8692C:\Windows\system32\notepad.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278800Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.946{F81F30E6-F3FA-62DF-F304-000000006F02}87248748C:\Windows\system32\conhost.exe{F81F30E6-F3FA-62DF-F204-000000006F02}8716C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278799Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.930{F81F30E6-D9BA-62DF-8100-000000006F02}38884516C:\Windows\system32\csrss.exe{F81F30E6-F3FA-62DF-F304-000000006F02}8724C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000278798Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.930{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3FA-62DF-F304-000000006F02}8724C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278797Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.930{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278796Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.930{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278795Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.930{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278794Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.930{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278793Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.930{F81F30E6-D9BA-62DF-8100-000000006F02}38884056C:\Windows\system32\csrss.exe{F81F30E6-F3FA-62DF-F204-000000006F02}8716C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000278792Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.930{F81F30E6-F163-62DF-1F04-000000006F02}22648656C:\Temp\dcrat.exe{F81F30E6-F3FA-62DF-F204-000000006F02}8716C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\System32\windows.storage.dll+16e7eb|C:\Windows\System32\windows.storage.dll+16e501|C:\Windows\System32\windows.storage.dll+16e14e|C:\Windows\System32\windows.storage.dll+16f3f0|C:\Windows\System32\windows.storage.dll+16de9e|C:\Windows\System32\windows.storage.dll+fce6d|C:\Windows\System32\windows.storage.dll+fd5ac|C:\Windows\System32\windows.storage.dll+fc910|C:\Windows\System32\shell32.dll+49cdf|C:\Windows\System32\shell32.dll+49b6c|C:\Windows\System32\shell32.dll+498bc|C:\Windows\System32\shell32.dll+10d2c7|C:\Windows\System32\shell32.dll+10d225|UNKNOWN(00007FF984B29B5F) 154100x8000000000000000278791Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.938{F81F30E6-F3FA-62DF-F204-000000006F02}8716C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" "C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe"C:\Temp\dcrat.exe" 10341000x8000000000000000278790Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.930{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3FA-62DF-F204-000000006F02}8716C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278789Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.930{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3FA-62DF-DE04-000000006F02}2984C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278788Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.930{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3FA-62DF-E704-000000006F02}8376C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278787Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.927{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278786Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.927{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278785Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.927{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-E304-000000006F02}8284C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278784Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.927{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278783Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.927{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278782Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.927{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-E304-000000006F02}8284C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278781Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.926{F81F30E6-D9BA-62DF-8100-000000006F02}38882172C:\Windows\system32\csrss.exe{F81F30E6-F3FA-62DF-F104-000000006F02}8692C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000278780Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.926{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-E304-000000006F02}8284C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278779Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.926{F81F30E6-F3FA-62DF-DF04-000000006F02}70047924C:\Windows\system32\cmd.exe{F81F30E6-F3FA-62DF-F104-000000006F02}8692C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8564|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000278778Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.926{F81F30E6-F3FA-62DF-F104-000000006F02}8692C:\Windows\System32\notepad.exe10.0.14393.4169 (rs1_release.210107-1130)NotepadMicrosoft® Windows® Operating SystemMicrosoft CorporationNOTEPAD.EXEnotepad.exe C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=BA78FCF8CA9D806C6C047357E31748DE,SHA256=34A07759492E31AEC2A009505FE8DFB50242375C4308AD4657B2872F4F75A077,IMPHASH=968239BE2020F1C0DAFFDCDBD49E9C82{F81F30E6-F3FA-62DF-DF04-000000006F02}7004C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" " 10341000x8000000000000000278777Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.926{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3FA-62DF-F104-000000006F02}8692C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278776Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.925{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-E304-000000006F02}8284C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278775Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.908{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-D904-000000006F02}6420C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278774Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.908{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-D904-000000006F02}6420C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278773Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.908{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-D904-000000006F02}6420C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278772Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.908{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-D904-000000006F02}6420C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278771Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.908{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-EA04-000000006F02}8468C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278770Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.908{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3FA-62DF-D904-000000006F02}6420C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278769Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.908{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-EA04-000000006F02}8468C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278768Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.908{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-EA04-000000006F02}8468C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278767Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.908{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-EA04-000000006F02}8468C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278766Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.908{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3FA-62DF-E704-000000006F02}8376C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278765Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.908{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F3FA-62DF-F004-000000006F02}8632C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278764Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.908{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F3FA-62DF-F004-000000006F02}8632C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278763Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.908{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-F3FA-62DF-E804-000000006F02}8420C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278762Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.893{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F3FA-62DF-EE04-000000006F02}8600C:\Windows\system32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278761Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.893{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F3FA-62DF-EE04-000000006F02}8600C:\Windows\system32\notepad.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278760Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.893{F81F30E6-F3FA-62DF-F004-000000006F02}86328660C:\Windows\system32\conhost.exe{F81F30E6-F3FA-62DF-EF04-000000006F02}8624C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278759Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.893{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3FA-62DF-D904-000000006F02}6420C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278758Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.893{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-DE04-000000006F02}2984C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278757Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.893{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-DE04-000000006F02}2984C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278756Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.893{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-DE04-000000006F02}2984C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278755Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.893{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-DE04-000000006F02}2984C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278754Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.893{F81F30E6-F3FA-62DF-E204-000000006F02}82568260C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278753Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.877{F81F30E6-D9BA-62DF-8100-000000006F02}38882172C:\Windows\system32\csrss.exe{F81F30E6-F3FA-62DF-F004-000000006F02}8632C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000278752Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.877{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3FA-62DF-F004-000000006F02}8632C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278751Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.877{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278750Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.877{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278749Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.877{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278748Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.877{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278747Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.877{F81F30E6-D9BA-62DF-8100-000000006F02}38882172C:\Windows\system32\csrss.exe{F81F30E6-F3FA-62DF-EF04-000000006F02}8624C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000278746Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.877{F81F30E6-F163-62DF-1F04-000000006F02}22648576C:\Temp\dcrat.exe{F81F30E6-F3FA-62DF-EF04-000000006F02}8624C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\System32\windows.storage.dll+16e7eb|C:\Windows\System32\windows.storage.dll+16e501|C:\Windows\System32\windows.storage.dll+16e14e|C:\Windows\System32\windows.storage.dll+16f3f0|C:\Windows\System32\windows.storage.dll+16de9e|C:\Windows\System32\windows.storage.dll+fce6d|C:\Windows\System32\windows.storage.dll+fd5ac|C:\Windows\System32\windows.storage.dll+fc910|C:\Windows\System32\shell32.dll+49cdf|C:\Windows\System32\shell32.dll+49b6c|C:\Windows\System32\shell32.dll+498bc|C:\Windows\System32\shell32.dll+10d2c7|C:\Windows\System32\shell32.dll+10d225|UNKNOWN(00007FF984B29B5F) 154100x8000000000000000278745Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.882{F81F30E6-F3FA-62DF-EF04-000000006F02}8624C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" "C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe"C:\Temp\dcrat.exe" 10341000x8000000000000000278744Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.877{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3FA-62DF-EF04-000000006F02}8624C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278743Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.861{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3FA-62DF-E404-000000006F02}8292C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278742Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.861{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278741Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.861{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278740Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.861{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278739Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.861{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278738Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.861{F81F30E6-D9BA-62DF-8100-000000006F02}38884516C:\Windows\system32\csrss.exe{F81F30E6-F3FA-62DF-EE04-000000006F02}8600C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000278737Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.861{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3FA-62DF-EE04-000000006F02}8600C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278736Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.861{F81F30E6-F3FA-62DF-DC04-000000006F02}71885136C:\Windows\system32\cmd.exe{F81F30E6-F3FA-62DF-EE04-000000006F02}8600C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8564|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000278735Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.870{F81F30E6-F3FA-62DF-EE04-000000006F02}8600C:\Windows\System32\notepad.exe10.0.14393.4169 (rs1_release.210107-1130)NotepadMicrosoft® Windows® Operating SystemMicrosoft CorporationNOTEPAD.EXEnotepad.exe C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=BA78FCF8CA9D806C6C047357E31748DE,SHA256=34A07759492E31AEC2A009505FE8DFB50242375C4308AD4657B2872F4F75A077,IMPHASH=968239BE2020F1C0DAFFDCDBD49E9C82{F81F30E6-F3FA-62DF-DC04-000000006F02}7188C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" " 23542300x8000000000000000278734Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.861{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AEF604104B052EDFFBFC79968FBE9F62,SHA256=217065C4514A4A8B9B6B69DA102907BE7FDD8AF5AE6C1A3004329284AEDFB958,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000278733Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.846{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-E704-000000006F02}8376C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278732Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.846{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F3FA-62DF-ED04-000000006F02}8548C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278731Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.846{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F3FA-62DF-ED04-000000006F02}8548C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278730Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.846{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-E704-000000006F02}8376C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278729Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.846{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-E704-000000006F02}8376C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278728Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.846{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-E704-000000006F02}8376C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278727Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.846{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3FA-62DF-E404-000000006F02}8292C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278726Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.846{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F3FA-62DF-EB04-000000006F02}8508C:\Windows\system32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278725Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.846{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F3FA-62DF-EB04-000000006F02}8508C:\Windows\system32\notepad.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278724Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.846{F81F30E6-F3FA-62DF-ED04-000000006F02}85488580C:\Windows\system32\conhost.exe{F81F30E6-F3FA-62DF-EC04-000000006F02}8536C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278723Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.830{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-DF04-000000006F02}7004C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278722Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.830{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-DF04-000000006F02}7004C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278721Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.830{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-DF04-000000006F02}7004C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278720Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.830{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-DF04-000000006F02}7004C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278719Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.830{F81F30E6-D9BA-62DF-8100-000000006F02}38884056C:\Windows\system32\csrss.exe{F81F30E6-F3FA-62DF-ED04-000000006F02}8548C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000278718Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.830{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-F3FA-62DF-E504-000000006F02}8328C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278717Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.830{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3FA-62DF-ED04-000000006F02}8548C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278716Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.826{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278715Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.826{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278714Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.825{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278713Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.825{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278712Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.824{F81F30E6-D9BA-62DF-8100-000000006F02}38884056C:\Windows\system32\csrss.exe{F81F30E6-F3FA-62DF-EC04-000000006F02}8536C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000278711Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.808{F81F30E6-F163-62DF-1F04-000000006F02}22648484C:\Temp\dcrat.exe{F81F30E6-F3FA-62DF-EC04-000000006F02}8536C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\System32\windows.storage.dll+16e7eb|C:\Windows\System32\windows.storage.dll+16e501|C:\Windows\System32\windows.storage.dll+16e14e|C:\Windows\System32\windows.storage.dll+16f3f0|C:\Windows\System32\windows.storage.dll+16de9e|C:\Windows\System32\windows.storage.dll+fce6d|C:\Windows\System32\windows.storage.dll+fd5ac|C:\Windows\System32\windows.storage.dll+fc910|C:\Windows\System32\shell32.dll+49cdf|C:\Windows\System32\shell32.dll+49b6c|C:\Windows\System32\shell32.dll+498bc|C:\Windows\System32\shell32.dll+10d2c7|C:\Windows\System32\shell32.dll+10d225|UNKNOWN(00007FF984B29B5F) 154100x8000000000000000278710Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.824{F81F30E6-F3FA-62DF-EC04-000000006F02}8536C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" "C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe"C:\Temp\dcrat.exe" 10341000x8000000000000000278709Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.808{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3FA-62DF-EC04-000000006F02}8536C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278708Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.808{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278707Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.808{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278706Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.808{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278705Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.808{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278704Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.808{F81F30E6-D9BA-62DF-8100-000000006F02}38882172C:\Windows\system32\csrss.exe{F81F30E6-F3FA-62DF-EB04-000000006F02}8508C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000278703Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.808{F81F30E6-F3FA-62DF-DA04-000000006F02}70844128C:\Windows\system32\cmd.exe{F81F30E6-F3FA-62DF-EB04-000000006F02}8508C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8564|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000278702Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.813{F81F30E6-F3FA-62DF-EB04-000000006F02}8508C:\Windows\System32\notepad.exe10.0.14393.4169 (rs1_release.210107-1130)NotepadMicrosoft® Windows® Operating SystemMicrosoft CorporationNOTEPAD.EXEnotepad.exe C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=BA78FCF8CA9D806C6C047357E31748DE,SHA256=34A07759492E31AEC2A009505FE8DFB50242375C4308AD4657B2872F4F75A077,IMPHASH=968239BE2020F1C0DAFFDCDBD49E9C82{F81F30E6-F3FA-62DF-DA04-000000006F02}7084C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" " 10341000x8000000000000000278701Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.808{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3FA-62DF-EB04-000000006F02}8508C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000278700Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.808{F81F30E6-D97C-62DF-1000-000000006F02}448NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=4B271AEAB9E3C3B620E053CB7D9480DD,SHA256=014C122EABA681E4152600DA5A857AD770BFD2F9A245D54DFCFFF0E4E0618CD9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000278699Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.793{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3FA-62DF-E004-000000006F02}7768C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278698Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.793{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-E404-000000006F02}8292C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278697Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.793{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-E404-000000006F02}8292C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278696Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.793{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F3FA-62DF-EA04-000000006F02}8468C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278695Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.793{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-E404-000000006F02}8292C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278694Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.793{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F3FA-62DF-EA04-000000006F02}8468C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278693Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.793{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-E404-000000006F02}8292C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278692Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.793{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-D904-000000006F02}6420C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278691Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.793{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-D904-000000006F02}6420C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278690Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.793{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-D904-000000006F02}6420C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278689Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.793{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-D904-000000006F02}6420C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278688Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.777{F81F30E6-F3FA-62DF-EA04-000000006F02}84688492C:\Windows\system32\conhost.exe{F81F30E6-F3FA-62DF-E904-000000006F02}8460C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278687Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.777{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F3FA-62DF-E804-000000006F02}8420C:\Windows\system32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278686Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.777{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F3FA-62DF-E804-000000006F02}8420C:\Windows\system32\notepad.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278685Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.777{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3FA-62DF-E004-000000006F02}7768C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278684Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.761{F81F30E6-D9BA-62DF-8100-000000006F02}38884516C:\Windows\system32\csrss.exe{F81F30E6-F3FA-62DF-EA04-000000006F02}8468C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000278683Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.761{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-DC04-000000006F02}7188C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278682Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.761{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-DC04-000000006F02}7188C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278681Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.761{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-DC04-000000006F02}7188C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278680Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.761{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-DC04-000000006F02}7188C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278679Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.761{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3FA-62DF-EA04-000000006F02}8468C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278678Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.761{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278677Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.761{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278676Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.761{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278675Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.761{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278674Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.761{F81F30E6-D9BA-62DF-8100-000000006F02}38882172C:\Windows\system32\csrss.exe{F81F30E6-F3FA-62DF-E904-000000006F02}8460C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000278673Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.761{F81F30E6-F163-62DF-1F04-000000006F02}22648392C:\Temp\dcrat.exe{F81F30E6-F3FA-62DF-E904-000000006F02}8460C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\System32\windows.storage.dll+16e7eb|C:\Windows\System32\windows.storage.dll+16e501|C:\Windows\System32\windows.storage.dll+16e14e|C:\Windows\System32\windows.storage.dll+16f3f0|C:\Windows\System32\windows.storage.dll+16de9e|C:\Windows\System32\windows.storage.dll+fce6d|C:\Windows\System32\windows.storage.dll+fd5ac|C:\Windows\System32\windows.storage.dll+fc910|C:\Windows\System32\shell32.dll+49cdf|C:\Windows\System32\shell32.dll+49b6c|C:\Windows\System32\shell32.dll+498bc|C:\Windows\System32\shell32.dll+10d2c7|C:\Windows\System32\shell32.dll+10d225|UNKNOWN(00007FF984B29B5F) 154100x8000000000000000278672Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.768{F81F30E6-F3FA-62DF-E904-000000006F02}8460C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" "C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe"C:\Temp\dcrat.exe" 10341000x8000000000000000278671Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.761{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3FA-62DF-E904-000000006F02}8460C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278670Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.761{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-F3FA-62DF-E104-000000006F02}8224C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278669Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.746{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3FA-62DF-DD04-000000006F02}1928C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278668Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.746{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278667Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.746{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278666Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.746{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278665Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.746{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278664Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.746{F81F30E6-D9BA-62DF-8100-000000006F02}38884056C:\Windows\system32\csrss.exe{F81F30E6-F3FA-62DF-E804-000000006F02}8420C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000278663Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.730{F81F30E6-F3FA-62DF-D704-000000006F02}70167856C:\Windows\system32\cmd.exe{F81F30E6-F3FA-62DF-E804-000000006F02}8420C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8564|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000278662Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.745{F81F30E6-F3FA-62DF-E804-000000006F02}8420C:\Windows\System32\notepad.exe10.0.14393.4169 (rs1_release.210107-1130)NotepadMicrosoft® Windows® Operating SystemMicrosoft CorporationNOTEPAD.EXEnotepad.exe C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=BA78FCF8CA9D806C6C047357E31748DE,SHA256=34A07759492E31AEC2A009505FE8DFB50242375C4308AD4657B2872F4F75A077,IMPHASH=968239BE2020F1C0DAFFDCDBD49E9C82{F81F30E6-F3FA-62DF-D704-000000006F02}7016C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" " 10341000x8000000000000000278661Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.730{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F3FA-62DF-E704-000000006F02}8376C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278660Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.730{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F3FA-62DF-E704-000000006F02}8376C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278659Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.730{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3FA-62DF-E804-000000006F02}8420C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278658Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.730{F81F30E6-F3FA-62DF-E704-000000006F02}83768404C:\Windows\system32\conhost.exe{F81F30E6-F3FA-62DF-E604-000000006F02}8368C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000278657Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.730{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A0E867D3E35CACB53CD6BAE9B23DE38,SHA256=15864B251C672611543DE2B620F26DF11ADAF72870B0C9812CC36E113CC90BF8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000278656Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.728{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3FA-62DF-DD04-000000006F02}1928C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278655Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.727{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-E004-000000006F02}7768C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278654Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.727{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-E004-000000006F02}7768C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278653Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.727{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-E004-000000006F02}7768C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278652Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.726{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-E004-000000006F02}7768C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278651Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.708{F81F30E6-D9BA-62DF-8100-000000006F02}38884056C:\Windows\system32\csrss.exe{F81F30E6-F3FA-62DF-E704-000000006F02}8376C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000278650Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.708{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F3FA-62DF-E504-000000006F02}8328C:\Windows\system32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278649Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.708{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F3FA-62DF-E504-000000006F02}8328C:\Windows\system32\notepad.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278648Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.708{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3FA-62DF-E704-000000006F02}8376C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278647Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.708{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278646Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.708{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278645Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.708{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278644Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.708{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278643Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.708{F81F30E6-D9BA-62DF-8100-000000006F02}38884516C:\Windows\system32\csrss.exe{F81F30E6-F3FA-62DF-E604-000000006F02}8368C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000278642Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.708{F81F30E6-F163-62DF-1F04-000000006F02}22648304C:\Temp\dcrat.exe{F81F30E6-F3FA-62DF-E604-000000006F02}8368C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\System32\windows.storage.dll+16e7eb|C:\Windows\System32\windows.storage.dll+16e501|C:\Windows\System32\windows.storage.dll+16e14e|C:\Windows\System32\windows.storage.dll+16f3f0|C:\Windows\System32\windows.storage.dll+16de9e|C:\Windows\System32\windows.storage.dll+fce6d|C:\Windows\System32\windows.storage.dll+fd5ac|C:\Windows\System32\windows.storage.dll+fc910|C:\Windows\System32\shell32.dll+49cdf|C:\Windows\System32\shell32.dll+49b6c|C:\Windows\System32\shell32.dll+498bc|C:\Windows\System32\shell32.dll+10d2c7|C:\Windows\System32\shell32.dll+10d225|UNKNOWN(00007FF984B29B5F) 154100x8000000000000000278641Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.709{F81F30E6-F3FA-62DF-E604-000000006F02}8368C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" "C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe"C:\Temp\dcrat.exe" 10341000x8000000000000000278640Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.708{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3FA-62DF-E604-000000006F02}8368C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278639Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.693{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-D404-000000006F02}3052C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278638Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.693{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-D404-000000006F02}3052C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278637Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.693{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-D404-000000006F02}3052C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278636Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.693{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-D404-000000006F02}3052C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278635Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.677{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-F3FA-62DF-DE04-000000006F02}2984C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278634Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.677{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3FA-62DF-D404-000000006F02}3052C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278633Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.677{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3FA-62DF-DB04-000000006F02}6864C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278632Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.677{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F3FA-62DF-E404-000000006F02}8292C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278631Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.677{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F3FA-62DF-E404-000000006F02}8292C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278630Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.677{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278629Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.677{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278628Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.677{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278627Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.677{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278626Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.662{F81F30E6-D9BA-62DF-8100-000000006F02}38882172C:\Windows\system32\csrss.exe{F81F30E6-F3FA-62DF-E504-000000006F02}8328C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000278625Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.662{F81F30E6-F3FA-62DF-D504-000000006F02}63845132C:\Windows\system32\cmd.exe{F81F30E6-F3FA-62DF-E504-000000006F02}8328C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8564|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278624Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.662{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-DD04-000000006F02}1928C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000278623Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.674{F81F30E6-F3FA-62DF-E504-000000006F02}8328C:\Windows\System32\notepad.exe10.0.14393.4169 (rs1_release.210107-1130)NotepadMicrosoft® Windows® Operating SystemMicrosoft CorporationNOTEPAD.EXEnotepad.exe C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=BA78FCF8CA9D806C6C047357E31748DE,SHA256=34A07759492E31AEC2A009505FE8DFB50242375C4308AD4657B2872F4F75A077,IMPHASH=968239BE2020F1C0DAFFDCDBD49E9C82{F81F30E6-F3FA-62DF-D504-000000006F02}6384C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" " 10341000x8000000000000000278622Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.662{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3FA-62DF-E504-000000006F02}8328C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278621Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.662{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-DD04-000000006F02}1928C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278620Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.662{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-DD04-000000006F02}1928C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278619Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.662{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-DD04-000000006F02}1928C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278618Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.662{F81F30E6-F3FA-62DF-E404-000000006F02}82928320C:\Windows\system32\conhost.exe{F81F30E6-F3FA-62DF-E304-000000006F02}8284C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278617Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.662{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3FA-62DF-D404-000000006F02}3052C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278616Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.662{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3FA-62DF-DB04-000000006F02}6864C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278615Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.662{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-DA04-000000006F02}7084C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278614Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.662{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-DA04-000000006F02}7084C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278613Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.662{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-DA04-000000006F02}7084C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278612Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.646{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-DA04-000000006F02}7084C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278611Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.646{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278610Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.646{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278609Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.646{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278608Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.646{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278607Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.646{F81F30E6-D9BA-62DF-8100-000000006F02}38882172C:\Windows\system32\csrss.exe{F81F30E6-F3FA-62DF-E404-000000006F02}8292C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000278606Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.646{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3FA-62DF-E404-000000006F02}8292C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278605Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.646{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F3FA-62DF-E104-000000006F02}8224C:\Windows\system32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278604Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.646{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F3FA-62DF-E104-000000006F02}8224C:\Windows\system32\notepad.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278603Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.646{F81F30E6-D9BA-62DF-8100-000000006F02}38884056C:\Windows\system32\csrss.exe{F81F30E6-F3FA-62DF-E304-000000006F02}8284C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000278602Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.646{F81F30E6-F163-62DF-1F04-000000006F02}22646824C:\Temp\dcrat.exe{F81F30E6-F3FA-62DF-E304-000000006F02}8284C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\System32\windows.storage.dll+16e7eb|C:\Windows\System32\windows.storage.dll+16e501|C:\Windows\System32\windows.storage.dll+16e14e|C:\Windows\System32\windows.storage.dll+16f3f0|C:\Windows\System32\windows.storage.dll+16de9e|C:\Windows\System32\windows.storage.dll+fce6d|C:\Windows\System32\windows.storage.dll+fd5ac|C:\Windows\System32\windows.storage.dll+fc910|C:\Windows\System32\shell32.dll+49cdf|C:\Windows\System32\shell32.dll+49b6c|C:\Windows\System32\shell32.dll+498bc|C:\Windows\System32\shell32.dll+10d2c7|C:\Windows\System32\shell32.dll+10d225|UNKNOWN(00007FF984B29B5F) 154100x8000000000000000278601Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.646{F81F30E6-F3FA-62DF-E304-000000006F02}8284C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" "C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe"C:\Temp\dcrat.exe" 10341000x8000000000000000278600Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.646{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3FA-62DF-E304-000000006F02}8284C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278599Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.630{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278598Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.630{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278597Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.630{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278596Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.630{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278595Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.630{F81F30E6-D98B-62DF-3600-000000006F02}31323152C:\Windows\system32\conhost.exe{F81F30E6-F3FA-62DF-E204-000000006F02}8256C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000278594Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.630{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6A9CDAC542A508FA28EFB7B46C9DCB4,SHA256=C3F63A560BD62241C8FB6439329AB110C6D713859C5B431D6025BB3E55EDF36B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000278593Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.630{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-D404-000000006F02}3052C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278592Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.630{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-D404-000000006F02}3052C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278591Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.630{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-D404-000000006F02}3052C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278590Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.630{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-D404-000000006F02}3052C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278589Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.629{F81F30E6-D97A-62DF-0500-000000006F02}412428C:\Windows\system32\csrss.exe{F81F30E6-F3FA-62DF-E204-000000006F02}8256C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000278588Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.629{F81F30E6-D98A-62DF-2E00-000000006F02}27803956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F81F30E6-F3FA-62DF-E204-000000006F02}8256C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000278587Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.628{F81F30E6-F3FA-62DF-E204-000000006F02}8256C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F81F30E6-D97A-62DF-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000278586Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.609{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3FA-62DF-D804-000000006F02}5296C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278585Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.609{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F3FA-62DF-E004-000000006F02}7768C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278584Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.609{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F3FA-62DF-E004-000000006F02}7768C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278583Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.609{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-DB04-000000006F02}6864C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278582Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.609{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-DB04-000000006F02}6864C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278581Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.609{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-DB04-000000006F02}6864C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278580Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.609{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-DB04-000000006F02}6864C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278579Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.609{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000053439Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:34.027{53069400-D97D-62DF-1100-000000007002}980NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=5BE9FFD5A750BB034D19294D9BF3BCA5,SHA256=2D9BDD234D74A1CA5E6B5203B77188527BDA2A91C60AE566769811A1F1480C11,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000278578Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.609{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278577Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.609{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278576Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.609{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278575Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.609{F81F30E6-D9BA-62DF-8100-000000006F02}38884056C:\Windows\system32\csrss.exe{F81F30E6-F3FA-62DF-E104-000000006F02}8224C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 23542300x8000000000000000278574Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.609{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7ACA3E2DA0189E661BDD789422DA4D72,SHA256=2ABFCF95AF035F5D51E1671F62FA49B38E4CFA4357F273A9893ABC112DC52F74,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000278573Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.609{F81F30E6-F3FA-62DF-D204-000000006F02}67766496C:\Windows\system32\cmd.exe{F81F30E6-F3FA-62DF-E104-000000006F02}8224C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8564|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000278572Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.613{F81F30E6-F3FA-62DF-E104-000000006F02}8224C:\Windows\System32\notepad.exe10.0.14393.4169 (rs1_release.210107-1130)NotepadMicrosoft® Windows® Operating SystemMicrosoft CorporationNOTEPAD.EXEnotepad.exe C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=BA78FCF8CA9D806C6C047357E31748DE,SHA256=34A07759492E31AEC2A009505FE8DFB50242375C4308AD4657B2872F4F75A077,IMPHASH=968239BE2020F1C0DAFFDCDBD49E9C82{F81F30E6-F3FA-62DF-D204-000000006F02}6776C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" " 10341000x8000000000000000278571Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.609{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3FA-62DF-E104-000000006F02}8224C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278570Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.609{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-D704-000000006F02}7016C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278569Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.593{F81F30E6-F3FA-62DF-E004-000000006F02}77688216C:\Windows\system32\conhost.exe{F81F30E6-F3FA-62DF-DF04-000000006F02}7004C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278568Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.593{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-F3FA-62DF-D904-000000006F02}6420C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278567Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.593{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3FA-62DF-D804-000000006F02}5296C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278566Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.593{F81F30E6-D9BA-62DF-8100-000000006F02}38884516C:\Windows\system32\csrss.exe{F81F30E6-F3FA-62DF-E004-000000006F02}7768C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000278565Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.593{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3FA-62DF-E004-000000006F02}7768C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278564Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.577{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278563Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.577{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278562Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.577{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278561Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.577{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278560Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.577{F81F30E6-D9BA-62DF-8100-000000006F02}38884516C:\Windows\system32\csrss.exe{F81F30E6-F3FA-62DF-DF04-000000006F02}7004C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000278559Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.577{F81F30E6-F163-62DF-1F04-000000006F02}22647380C:\Temp\dcrat.exe{F81F30E6-F3FA-62DF-DF04-000000006F02}7004C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\System32\windows.storage.dll+16e7eb|C:\Windows\System32\windows.storage.dll+16e501|C:\Windows\System32\windows.storage.dll+16e14e|C:\Windows\System32\windows.storage.dll+16f3f0|C:\Windows\System32\windows.storage.dll+16de9e|C:\Windows\System32\windows.storage.dll+fce6d|C:\Windows\System32\windows.storage.dll+fd5ac|C:\Windows\System32\windows.storage.dll+fc910|C:\Windows\System32\shell32.dll+49cdf|C:\Windows\System32\shell32.dll+49b6c|C:\Windows\System32\shell32.dll+498bc|C:\Windows\System32\shell32.dll+10d2c7|C:\Windows\System32\shell32.dll+10d225|UNKNOWN(00007FF984B29B5F) 154100x8000000000000000278558Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.589{F81F30E6-F3FA-62DF-DF04-000000006F02}7004C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" "C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe"C:\Temp\dcrat.exe" 10341000x8000000000000000278557Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.577{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3FA-62DF-DF04-000000006F02}7004C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278556Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.577{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F3FA-62DF-DE04-000000006F02}2984C:\Windows\system32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278555Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.577{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F3FA-62DF-DE04-000000006F02}2984C:\Windows\system32\notepad.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278554Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.577{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3FA-62DF-CF04-000000006F02}8108C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278553Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.577{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-D704-000000006F02}7016C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278552Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.577{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-D704-000000006F02}7016C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278551Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.577{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-D704-000000006F02}7016C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278550Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.577{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-D704-000000006F02}7016C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278549Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.577{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F3FA-62DF-DD04-000000006F02}1928C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278548Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.577{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F3FA-62DF-DD04-000000006F02}1928C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278547Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.562{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3FA-62DF-D604-000000006F02}3504C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278546Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.562{F81F30E6-F3FA-62DF-DD04-000000006F02}19285620C:\Windows\system32\conhost.exe{F81F30E6-F3FA-62DF-DC04-000000006F02}7188C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278545Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.562{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-CF04-000000006F02}8108C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278544Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.562{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-CF04-000000006F02}8108C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278543Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.562{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-CF04-000000006F02}8108C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278542Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.562{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-D804-000000006F02}5296C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278541Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.562{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-D804-000000006F02}5296C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278540Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.562{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-D804-000000006F02}5296C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278539Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.562{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-D804-000000006F02}5296C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278538Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.562{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3FA-62DF-CF04-000000006F02}8108C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278537Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.562{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-CF04-000000006F02}8108C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278536Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.546{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278535Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.546{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278534Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.546{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3FA-62DF-D604-000000006F02}3504C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278533Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.546{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278532Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.546{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278531Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.546{F81F30E6-D9BA-62DF-8100-000000006F02}38882172C:\Windows\system32\csrss.exe{F81F30E6-F3FA-62DF-DE04-000000006F02}2984C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000278530Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.546{F81F30E6-F3FA-62DF-D004-000000006F02}2820372C:\Windows\system32\cmd.exe{F81F30E6-F3FA-62DF-DE04-000000006F02}2984C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8564|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000278529Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.556{F81F30E6-F3FA-62DF-DE04-000000006F02}2984C:\Windows\System32\notepad.exe10.0.14393.4169 (rs1_release.210107-1130)NotepadMicrosoft® Windows® Operating SystemMicrosoft CorporationNOTEPAD.EXEnotepad.exe C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=BA78FCF8CA9D806C6C047357E31748DE,SHA256=34A07759492E31AEC2A009505FE8DFB50242375C4308AD4657B2872F4F75A077,IMPHASH=968239BE2020F1C0DAFFDCDBD49E9C82{F81F30E6-F3FA-62DF-D004-000000006F02}2820C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" " 10341000x8000000000000000278528Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.546{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3FA-62DF-DE04-000000006F02}2984C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278527Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.546{F81F30E6-D9BA-62DF-8100-000000006F02}38884056C:\Windows\system32\csrss.exe{F81F30E6-F3FA-62DF-DD04-000000006F02}1928C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000278526Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.546{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3FA-62DF-DD04-000000006F02}1928C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278525Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.546{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278524Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.546{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278523Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.546{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278522Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.546{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278521Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.546{F81F30E6-D9BA-62DF-8100-000000006F02}38884516C:\Windows\system32\csrss.exe{F81F30E6-F3FA-62DF-DC04-000000006F02}7188C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000278520Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.546{F81F30E6-F163-62DF-1F04-000000006F02}22644360C:\Temp\dcrat.exe{F81F30E6-F3FA-62DF-DC04-000000006F02}7188C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\System32\windows.storage.dll+16e7eb|C:\Windows\System32\windows.storage.dll+16e501|C:\Windows\System32\windows.storage.dll+16e14e|C:\Windows\System32\windows.storage.dll+16f3f0|C:\Windows\System32\windows.storage.dll+16de9e|C:\Windows\System32\windows.storage.dll+fce6d|C:\Windows\System32\windows.storage.dll+fd5ac|C:\Windows\System32\windows.storage.dll+fc910|C:\Windows\System32\shell32.dll+49cdf|C:\Windows\System32\shell32.dll+49b6c|C:\Windows\System32\shell32.dll+498bc|C:\Windows\System32\shell32.dll+10d2c7|C:\Windows\System32\shell32.dll+10d225|UNKNOWN(00007FF984B29B5F) 154100x8000000000000000278519Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.546{F81F30E6-F3FA-62DF-DC04-000000006F02}7188C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" "C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe"C:\Temp\dcrat.exe" 10341000x8000000000000000278518Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.546{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3FA-62DF-DC04-000000006F02}7188C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278517Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.530{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-D504-000000006F02}6384C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278516Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.530{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-CF04-000000006F02}8108C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278515Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.530{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-CF04-000000006F02}8108C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278514Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.530{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-CF04-000000006F02}8108C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278513Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.530{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-CF04-000000006F02}8108C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278512Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.530{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F3FA-62DF-DB04-000000006F02}6864C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278511Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.530{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F3FA-62DF-DB04-000000006F02}6864C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278510Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.529{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-D504-000000006F02}6384C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278509Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.529{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-D504-000000006F02}6384C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278508Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.529{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-D504-000000006F02}6384C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278507Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.528{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3FA-62DF-D304-000000006F02}96C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278506Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.528{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-D504-000000006F02}6384C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278505Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.527{F81F30E6-F3FA-62DF-DB04-000000006F02}68646168C:\Windows\system32\conhost.exe{F81F30E6-F3FA-62DF-DA04-000000006F02}7084C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278504Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.509{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-D604-000000006F02}3504C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278503Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.509{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F3FA-62DF-D904-000000006F02}6420C:\Windows\system32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278502Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.509{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F3FA-62DF-D904-000000006F02}6420C:\Windows\system32\notepad.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278501Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.509{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-D604-000000006F02}3504C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278500Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.509{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-D604-000000006F02}3504C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278499Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.509{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-D604-000000006F02}3504C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278498Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.509{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3FA-62DF-D304-000000006F02}96C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278497Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.509{F81F30E6-D9BA-62DF-8100-000000006F02}38884516C:\Windows\system32\csrss.exe{F81F30E6-F3FA-62DF-DB04-000000006F02}6864C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000278496Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.509{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3FA-62DF-DB04-000000006F02}6864C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278495Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.509{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278494Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.509{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278493Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.509{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278492Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.509{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278491Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.493{F81F30E6-D9BA-62DF-8100-000000006F02}38884056C:\Windows\system32\csrss.exe{F81F30E6-F3FA-62DF-DA04-000000006F02}7084C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000278490Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.493{F81F30E6-F163-62DF-1F04-000000006F02}22647320C:\Temp\dcrat.exe{F81F30E6-F3FA-62DF-DA04-000000006F02}7084C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\System32\windows.storage.dll+16e7eb|C:\Windows\System32\windows.storage.dll+16e501|C:\Windows\System32\windows.storage.dll+16e14e|C:\Windows\System32\windows.storage.dll+16f3f0|C:\Windows\System32\windows.storage.dll+16de9e|C:\Windows\System32\windows.storage.dll+fce6d|C:\Windows\System32\windows.storage.dll+fd5ac|C:\Windows\System32\windows.storage.dll+fc910|C:\Windows\System32\shell32.dll+49cdf|C:\Windows\System32\shell32.dll+49b6c|C:\Windows\System32\shell32.dll+498bc|C:\Windows\System32\shell32.dll+10d2c7|C:\Windows\System32\shell32.dll+10d225|UNKNOWN(00007FF984B29B5F) 154100x8000000000000000278489Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.508{F81F30E6-F3FA-62DF-DA04-000000006F02}7084C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" "C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe"C:\Temp\dcrat.exe" 10341000x8000000000000000278488Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.493{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3FA-62DF-DA04-000000006F02}7084C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278487Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.493{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-D204-000000006F02}6776C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278486Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.493{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-D204-000000006F02}6776C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278485Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.493{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-D204-000000006F02}6776C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278484Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.493{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-D204-000000006F02}6776C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278483Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.493{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-D204-000000006F02}6776C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278482Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.493{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-F3FA-62DF-D404-000000006F02}3052C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278481Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.493{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F3FA-62DF-D804-000000006F02}5296C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278480Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.493{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F3FA-62DF-D804-000000006F02}5296C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278479Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.493{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278478Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.493{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278477Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.493{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278476Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.493{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278475Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.493{F81F30E6-D9BA-62DF-8100-000000006F02}38882172C:\Windows\system32\csrss.exe{F81F30E6-F3FA-62DF-D904-000000006F02}6420C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000278474Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.493{F81F30E6-F3FA-62DF-CD04-000000006F02}25522560C:\Windows\system32\cmd.exe{F81F30E6-F3FA-62DF-D904-000000006F02}6420C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8564|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000278473Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.493{F81F30E6-F3FA-62DF-D904-000000006F02}6420C:\Windows\System32\notepad.exe10.0.14393.4169 (rs1_release.210107-1130)NotepadMicrosoft® Windows® Operating SystemMicrosoft CorporationNOTEPAD.EXEnotepad.exe C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=BA78FCF8CA9D806C6C047357E31748DE,SHA256=34A07759492E31AEC2A009505FE8DFB50242375C4308AD4657B2872F4F75A077,IMPHASH=968239BE2020F1C0DAFFDCDBD49E9C82{F81F30E6-F3FA-62DF-CD04-000000006F02}2552C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" " 10341000x8000000000000000278472Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.493{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3FA-62DF-D904-000000006F02}6420C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278471Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.477{F81F30E6-F3FA-62DF-D804-000000006F02}52967096C:\Windows\system32\conhost.exe{F81F30E6-F3FA-62DF-D704-000000006F02}7016C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278470Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.477{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3FA-62DF-D104-000000006F02}3296C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278469Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.477{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-D304-000000006F02}96C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278468Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.477{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-D304-000000006F02}96C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278467Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.477{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-D304-000000006F02}96C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278466Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.477{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-D304-000000006F02}96C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278465Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.462{F81F30E6-D9BA-62DF-8100-000000006F02}38884516C:\Windows\system32\csrss.exe{F81F30E6-F3FA-62DF-D804-000000006F02}5296C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000278464Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.462{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3FA-62DF-D804-000000006F02}5296C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278463Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.462{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278462Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.462{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278461Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.462{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3FA-62DF-D104-000000006F02}3296C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278460Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.462{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278459Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.462{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278458Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.462{F81F30E6-D9BA-62DF-8100-000000006F02}38884516C:\Windows\system32\csrss.exe{F81F30E6-F3FA-62DF-D704-000000006F02}7016C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000278457Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.462{F81F30E6-F163-62DF-1F04-000000006F02}22647672C:\Temp\dcrat.exe{F81F30E6-F3FA-62DF-D704-000000006F02}7016C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\System32\windows.storage.dll+16e7eb|C:\Windows\System32\windows.storage.dll+16e501|C:\Windows\System32\windows.storage.dll+16e14e|C:\Windows\System32\windows.storage.dll+16f3f0|C:\Windows\System32\windows.storage.dll+16de9e|C:\Windows\System32\windows.storage.dll+fce6d|C:\Windows\System32\windows.storage.dll+fd5ac|C:\Windows\System32\windows.storage.dll+fc910|C:\Windows\System32\shell32.dll+49cdf|C:\Windows\System32\shell32.dll+49b6c|C:\Windows\System32\shell32.dll+498bc|C:\Windows\System32\shell32.dll+10d2c7|C:\Windows\System32\shell32.dll+10d225|UNKNOWN(00007FF984B29B5F) 154100x8000000000000000278456Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.469{F81F30E6-F3FA-62DF-D704-000000006F02}7016C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" "C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe"C:\Temp\dcrat.exe" 10341000x8000000000000000278455Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.462{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3FA-62DF-D704-000000006F02}7016C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278454Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.446{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F3FA-62DF-D604-000000006F02}3504C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278453Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.446{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F3FA-62DF-D604-000000006F02}3504C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278452Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.446{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-D004-000000006F02}2820C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278451Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.446{F81F30E6-F3FA-62DF-D604-000000006F02}35043100C:\Windows\system32\conhost.exe{F81F30E6-F3FA-62DF-D504-000000006F02}6384C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278450Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.431{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-D004-000000006F02}2820C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278449Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.431{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-D004-000000006F02}2820C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278448Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.431{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-D004-000000006F02}2820C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278447Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.431{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-D004-000000006F02}2820C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278446Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.431{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-D104-000000006F02}3296C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278445Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.431{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-D104-000000006F02}3296C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278444Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.431{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-D104-000000006F02}3296C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278443Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.431{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-D104-000000006F02}3296C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278442Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.431{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-CD04-000000006F02}2552C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278441Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.431{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-CD04-000000006F02}2552C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278440Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.431{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-CD04-000000006F02}2552C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278439Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.431{F81F30E6-D9BA-62DF-8100-000000006F02}38884516C:\Windows\system32\csrss.exe{F81F30E6-F3FA-62DF-D604-000000006F02}3504C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000278438Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.430{F81F30E6-F3FA-62DF-C804-000000006F02}67365888C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278437Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.425{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3FA-62DF-D604-000000006F02}3504C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278436Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.408{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-F3FA-62DF-CF04-000000006F02}8108C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278435Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.408{F81F30E6-D9BA-62DF-8100-000000006F02}38882172C:\Windows\system32\csrss.exe{F81F30E6-F3FA-62DF-D504-000000006F02}6384C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000278434Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.408{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278433Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.408{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278432Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.408{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278431Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.408{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278430Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.408{F81F30E6-F163-62DF-1F04-000000006F02}22647392C:\Temp\dcrat.exe{F81F30E6-F3FA-62DF-D504-000000006F02}6384C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\System32\windows.storage.dll+16e7eb|C:\Windows\System32\windows.storage.dll+16e501|C:\Windows\System32\windows.storage.dll+16e14e|C:\Windows\System32\windows.storage.dll+16f3f0|C:\Windows\System32\windows.storage.dll+16de9e|C:\Windows\System32\windows.storage.dll+fce6d|C:\Windows\System32\windows.storage.dll+fd5ac|C:\Windows\System32\windows.storage.dll+fc910|C:\Windows\System32\shell32.dll+49cdf|C:\Windows\System32\shell32.dll+49b6c|C:\Windows\System32\shell32.dll+498bc|C:\Windows\System32\shell32.dll+10d2c7|C:\Windows\System32\shell32.dll+10d225|UNKNOWN(00007FF984B29B5F) 154100x8000000000000000278429Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.413{F81F30E6-F3FA-62DF-D504-000000006F02}6384C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" "C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe"C:\Temp\dcrat.exe" 10341000x8000000000000000278428Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.408{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3FA-62DF-D504-000000006F02}6384C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278427Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.393{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F3FA-62DF-D404-000000006F02}3052C:\Windows\system32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278426Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.393{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F3FA-62DF-D404-000000006F02}3052C:\Windows\system32\notepad.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278425Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.393{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3FA-62DF-CE04-000000006F02}4236C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278424Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.393{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F3FA-62DF-D304-000000006F02}96C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278423Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.393{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F3FA-62DF-D304-000000006F02}96C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278422Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.377{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3FA-62DF-CE04-000000006F02}4236C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278421Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.377{F81F30E6-F3FA-62DF-D304-000000006F02}965744C:\Windows\system32\conhost.exe{F81F30E6-F3FA-62DF-D204-000000006F02}6776C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278420Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.377{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-CD04-000000006F02}2552C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278419Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.377{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-CD04-000000006F02}2552C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278418Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.377{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-CD04-000000006F02}2552C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278417Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.377{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-CD04-000000006F02}2552C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278416Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.377{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-CD04-000000006F02}2552C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278415Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.362{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278414Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.362{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278413Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.362{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278412Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.362{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278411Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.362{F81F30E6-D9BA-62DF-8100-000000006F02}38884056C:\Windows\system32\csrss.exe{F81F30E6-F3FA-62DF-D404-000000006F02}3052C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000278410Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.362{F81F30E6-F3FA-62DF-CB04-000000006F02}70565248C:\Windows\system32\cmd.exe{F81F30E6-F3FA-62DF-D404-000000006F02}3052C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8564|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000278409Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.373{F81F30E6-F3FA-62DF-D404-000000006F02}3052C:\Windows\System32\notepad.exe10.0.14393.4169 (rs1_release.210107-1130)NotepadMicrosoft® Windows® Operating SystemMicrosoft CorporationNOTEPAD.EXEnotepad.exe C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=BA78FCF8CA9D806C6C047357E31748DE,SHA256=34A07759492E31AEC2A009505FE8DFB50242375C4308AD4657B2872F4F75A077,IMPHASH=968239BE2020F1C0DAFFDCDBD49E9C82{F81F30E6-F3FA-62DF-CB04-000000006F02}7056C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" " 10341000x8000000000000000278408Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.362{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3FA-62DF-D404-000000006F02}3052C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278407Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.362{F81F30E6-D9BA-62DF-8100-000000006F02}38882172C:\Windows\system32\csrss.exe{F81F30E6-F3FA-62DF-D304-000000006F02}96C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000278406Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.362{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3FA-62DF-D304-000000006F02}96C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278405Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.346{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278404Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.346{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278403Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.346{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278402Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.346{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278401Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.346{F81F30E6-D9BA-62DF-8100-000000006F02}38884056C:\Windows\system32\csrss.exe{F81F30E6-F3FA-62DF-D204-000000006F02}6776C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000278400Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.346{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-CE04-000000006F02}4236C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278399Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.346{F81F30E6-F163-62DF-1F04-000000006F02}22643452C:\Temp\dcrat.exe{F81F30E6-F3FA-62DF-D204-000000006F02}6776C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\System32\windows.storage.dll+16e7eb|C:\Windows\System32\windows.storage.dll+16e501|C:\Windows\System32\windows.storage.dll+16e14e|C:\Windows\System32\windows.storage.dll+16f3f0|C:\Windows\System32\windows.storage.dll+16de9e|C:\Windows\System32\windows.storage.dll+fce6d|C:\Windows\System32\windows.storage.dll+fd5ac|C:\Windows\System32\windows.storage.dll+fc910|C:\Windows\System32\shell32.dll+49cdf|C:\Windows\System32\shell32.dll+49b6c|C:\Windows\System32\shell32.dll+498bc|C:\Windows\System32\shell32.dll+10d2c7|C:\Windows\System32\shell32.dll+10d225|UNKNOWN(00007FF984B29B5F) 10341000x8000000000000000278398Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.346{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3FA-62DF-D204-000000006F02}6776C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000278397Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.351{F81F30E6-F3FA-62DF-D204-000000006F02}6776C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" "C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe"C:\Temp\dcrat.exe" 10341000x8000000000000000278396Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.346{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-CE04-000000006F02}4236C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278395Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.346{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-CE04-000000006F02}4236C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278394Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.346{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-CE04-000000006F02}4236C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278393Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.330{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F3FA-62DF-D104-000000006F02}3296C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278392Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.330{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F3FA-62DF-D104-000000006F02}3296C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278391Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.330{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F3FA-62DF-CF04-000000006F02}8108C:\Windows\system32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278390Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.330{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F3FA-62DF-CF04-000000006F02}8108C:\Windows\system32\notepad.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278389Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.330{F81F30E6-F3FA-62DF-D104-000000006F02}32966356C:\Windows\system32\conhost.exe{F81F30E6-F3FA-62DF-D004-000000006F02}2820C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278388Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.308{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-CB04-000000006F02}7056C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278387Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.308{F81F30E6-D9BA-62DF-8100-000000006F02}38884056C:\Windows\system32\csrss.exe{F81F30E6-F3FA-62DF-D104-000000006F02}3296C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000278386Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.308{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-CB04-000000006F02}7056C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278385Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.308{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-CB04-000000006F02}7056C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278384Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.308{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3FA-62DF-D104-000000006F02}3296C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278383Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.308{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3FA-62DF-CC04-000000006F02}8056C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278382Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.308{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3FA-62DF-CC04-000000006F02}8056C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278381Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.308{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278380Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.308{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F3FA-62DF-CE04-000000006F02}4236C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278379Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.308{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278378Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.308{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F3FA-62DF-CE04-000000006F02}4236C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278377Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.293{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278376Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.293{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278375Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.293{F81F30E6-D9BA-62DF-8100-000000006F02}38882172C:\Windows\system32\csrss.exe{F81F30E6-F3FA-62DF-D004-000000006F02}2820C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000278374Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.293{F81F30E6-F163-62DF-1F04-000000006F02}22647496C:\Temp\dcrat.exe{F81F30E6-F3FA-62DF-D004-000000006F02}2820C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\System32\windows.storage.dll+16e7eb|C:\Windows\System32\windows.storage.dll+16e501|C:\Windows\System32\windows.storage.dll+16e14e|C:\Windows\System32\windows.storage.dll+16f3f0|C:\Windows\System32\windows.storage.dll+16de9e|C:\Windows\System32\windows.storage.dll+fce6d|C:\Windows\System32\windows.storage.dll+fd5ac|C:\Windows\System32\windows.storage.dll+fc910|C:\Windows\System32\shell32.dll+49cdf|C:\Windows\System32\shell32.dll+49b6c|C:\Windows\System32\shell32.dll+498bc|C:\Windows\System32\shell32.dll+10d2c7|C:\Windows\System32\shell32.dll+10d225|UNKNOWN(00007FF984B29B5F) 154100x8000000000000000278373Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.305{F81F30E6-F3FA-62DF-D004-000000006F02}2820C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" "C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe"C:\Temp\dcrat.exe" 10341000x8000000000000000278372Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.293{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3FA-62DF-D004-000000006F02}2820C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278371Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.293{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-CB04-000000006F02}7056C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278370Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.293{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-CB04-000000006F02}7056C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278369Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.293{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-CB04-000000006F02}7056C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278368Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.293{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-CB04-000000006F02}7056C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278367Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.293{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-CB04-000000006F02}7056C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278366Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.293{F81F30E6-D9BA-62DF-8100-000000006F02}38884516C:\Windows\system32\csrss.exe{F81F30E6-F3FA-62DF-CF04-000000006F02}8108C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000278365Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.277{F81F30E6-F3FA-62DF-CE04-000000006F02}42367092C:\Windows\system32\conhost.exe{F81F30E6-F3FA-62DF-CD04-000000006F02}2552C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278364Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.277{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278363Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.277{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278362Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.277{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278361Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.277{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278360Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.277{F81F30E6-F3FA-62DF-C904-000000006F02}12766820C:\Windows\system32\cmd.exe{F81F30E6-F3FA-62DF-CF04-000000006F02}8108C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8564|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000278359Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.290{F81F30E6-F3FA-62DF-CF04-000000006F02}8108C:\Windows\System32\notepad.exe10.0.14393.4169 (rs1_release.210107-1130)NotepadMicrosoft® Windows® Operating SystemMicrosoft CorporationNOTEPAD.EXEnotepad.exe C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=BA78FCF8CA9D806C6C047357E31748DE,SHA256=34A07759492E31AEC2A009505FE8DFB50242375C4308AD4657B2872F4F75A077,IMPHASH=968239BE2020F1C0DAFFDCDBD49E9C82{F81F30E6-F3FA-62DF-C904-000000006F02}1276C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" " 10341000x8000000000000000278358Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.277{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3FA-62DF-CF04-000000006F02}8108C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278357Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.277{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-CC04-000000006F02}8056C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278356Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.277{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-CC04-000000006F02}8056C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278355Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.277{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-CC04-000000006F02}8056C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278354Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.277{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-CC04-000000006F02}8056C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278353Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.262{F81F30E6-D9BA-62DF-8100-000000006F02}38884516C:\Windows\system32\csrss.exe{F81F30E6-F3FA-62DF-CE04-000000006F02}4236C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000278352Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.262{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3FA-62DF-CE04-000000006F02}4236C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278351Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.262{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278350Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.262{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278349Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.262{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278348Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.262{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278347Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.262{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-C904-000000006F02}1276C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278346Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.262{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-C904-000000006F02}1276C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278345Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.262{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-C904-000000006F02}1276C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278344Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.262{F81F30E6-D9BA-62DF-8100-000000006F02}38884516C:\Windows\system32\csrss.exe{F81F30E6-F3FA-62DF-CD04-000000006F02}2552C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000278343Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.262{F81F30E6-F163-62DF-1F04-000000006F02}22647384C:\Temp\dcrat.exe{F81F30E6-F3FA-62DF-CD04-000000006F02}2552C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\System32\windows.storage.dll+16e7eb|C:\Windows\System32\windows.storage.dll+16e501|C:\Windows\System32\windows.storage.dll+16e14e|C:\Windows\System32\windows.storage.dll+16f3f0|C:\Windows\System32\windows.storage.dll+16de9e|C:\Windows\System32\windows.storage.dll+fce6d|C:\Windows\System32\windows.storage.dll+fd5ac|C:\Windows\System32\windows.storage.dll+fc910|C:\Windows\System32\shell32.dll+49cdf|C:\Windows\System32\shell32.dll+49b6c|C:\Windows\System32\shell32.dll+498bc|C:\Windows\System32\shell32.dll+10d2c7|C:\Windows\System32\shell32.dll+10d225|UNKNOWN(00007FF984B29B5F) 154100x8000000000000000278342Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.267{F81F30E6-F3FA-62DF-CD04-000000006F02}2552C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" "C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe"C:\Temp\dcrat.exe" 10341000x8000000000000000278341Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.262{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3FA-62DF-CD04-000000006F02}2552C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278340Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.262{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3FA-62DF-CA04-000000006F02}6592C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278339Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.262{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3FA-62DF-CA04-000000006F02}6592C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278338Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.246{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F3FA-62DF-CC04-000000006F02}8056C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278337Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.246{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F3FA-62DF-CC04-000000006F02}8056C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278336Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.246{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-C904-000000006F02}1276C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278335Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.246{F81F30E6-F3FA-62DF-CC04-000000006F02}80566472C:\Windows\system32\conhost.exe{F81F30E6-F3FA-62DF-CB04-000000006F02}7056C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278334Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.246{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-C904-000000006F02}1276C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278333Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.246{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-C904-000000006F02}1276C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278332Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.246{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-C904-000000006F02}1276C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278331Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.246{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-C904-000000006F02}1276C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278330Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.246{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-CA04-000000006F02}6592C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278329Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.246{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-CA04-000000006F02}6592C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278328Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.246{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-CA04-000000006F02}6592C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278327Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.246{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-CA04-000000006F02}6592C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278326Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.230{F81F30E6-D9BA-62DF-8100-000000006F02}38884516C:\Windows\system32\csrss.exe{F81F30E6-F3FA-62DF-CC04-000000006F02}8056C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000278325Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.230{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3FA-62DF-CC04-000000006F02}8056C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278324Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.230{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278323Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.230{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278322Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.230{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278321Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.230{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278320Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.230{F81F30E6-D9BA-62DF-8100-000000006F02}38884056C:\Windows\system32\csrss.exe{F81F30E6-F3FA-62DF-CB04-000000006F02}7056C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000278319Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.230{F81F30E6-F163-62DF-1F04-000000006F02}22647692C:\Temp\dcrat.exe{F81F30E6-F3FA-62DF-CB04-000000006F02}7056C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\System32\windows.storage.dll+16e7eb|C:\Windows\System32\windows.storage.dll+16e501|C:\Windows\System32\windows.storage.dll+16e14e|C:\Windows\System32\windows.storage.dll+16f3f0|C:\Windows\System32\windows.storage.dll+16de9e|C:\Windows\System32\windows.storage.dll+fce6d|C:\Windows\System32\windows.storage.dll+fd5ac|C:\Windows\System32\windows.storage.dll+fc910|C:\Windows\System32\shell32.dll+49cdf|C:\Windows\System32\shell32.dll+49b6c|C:\Windows\System32\shell32.dll+498bc|C:\Windows\System32\shell32.dll+10d2c7|C:\Windows\System32\shell32.dll+10d225|UNKNOWN(00007FF984B29B5F) 154100x8000000000000000278318Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.238{F81F30E6-F3FA-62DF-CB04-000000006F02}7056C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" "C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe"C:\Temp\dcrat.exe" 10341000x8000000000000000278317Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.230{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F3FA-62DF-CA04-000000006F02}6592C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278316Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.230{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3FA-62DF-CB04-000000006F02}7056C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278315Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.230{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F3FA-62DF-CA04-000000006F02}6592C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278314Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.230{F81F30E6-F3FA-62DF-CA04-000000006F02}65928064C:\Windows\system32\conhost.exe{F81F30E6-F3FA-62DF-C904-000000006F02}1276C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278313Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.209{F81F30E6-D9BA-62DF-8100-000000006F02}38884056C:\Windows\system32\csrss.exe{F81F30E6-F3FA-62DF-CA04-000000006F02}6592C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000278312Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.209{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3FA-62DF-CA04-000000006F02}6592C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278311Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.209{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278310Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.209{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278309Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.209{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278308Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.209{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278307Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.209{F81F30E6-D9BA-62DF-8100-000000006F02}38884056C:\Windows\system32\csrss.exe{F81F30E6-F3FA-62DF-C904-000000006F02}1276C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000278306Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.209{F81F30E6-F163-62DF-1F04-000000006F02}22641256C:\Temp\dcrat.exe{F81F30E6-F3FA-62DF-C904-000000006F02}1276C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\System32\windows.storage.dll+16e7eb|C:\Windows\System32\windows.storage.dll+16e501|C:\Windows\System32\windows.storage.dll+16e14e|C:\Windows\System32\windows.storage.dll+16f3f0|C:\Windows\System32\windows.storage.dll+16de9e|C:\Windows\System32\windows.storage.dll+fce6d|C:\Windows\System32\windows.storage.dll+fd5ac|C:\Windows\System32\windows.storage.dll+fc910|C:\Windows\System32\shell32.dll+49cdf|C:\Windows\System32\shell32.dll+49b6c|C:\Windows\System32\shell32.dll+498bc|C:\Windows\System32\shell32.dll+10d2c7|C:\Windows\System32\shell32.dll+10d225|UNKNOWN(00007FF984B29B5F) 154100x8000000000000000278305Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.210{F81F30E6-F3FA-62DF-C904-000000006F02}1276C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" "C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe"C:\Temp\dcrat.exe" 10341000x8000000000000000278304Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.209{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3FA-62DF-C904-000000006F02}1276C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000278303Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.177{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9475163694DC3BBB29B0A0DB41FD85B,SHA256=3A81575C15251AACF26A7D8593A0294F55965463CC831B76ED590361A9F1F80F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000278302Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.129{F81F30E6-D98B-62DF-3600-000000006F02}31323152C:\Windows\system32\conhost.exe{F81F30E6-F3FA-62DF-C804-000000006F02}6736C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278301Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.126{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278300Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.126{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278299Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.126{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278298Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.126{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278297Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.126{F81F30E6-D97A-62DF-0500-000000006F02}412428C:\Windows\system32\csrss.exe{F81F30E6-F3FA-62DF-C804-000000006F02}6736C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000278296Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.125{F81F30E6-D98A-62DF-2E00-000000006F02}27803956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F81F30E6-F3FA-62DF-C804-000000006F02}6736C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000278295Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.125{F81F30E6-F3FA-62DF-C804-000000006F02}6736C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F81F30E6-D97A-62DF-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000279199Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.991{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3FB-62DF-0605-000000006F02}9232C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279198Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.976{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3FB-62DF-0605-000000006F02}9232C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279197Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.976{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FB-62DF-FD04-000000006F02}9020C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279196Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.976{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FB-62DF-FD04-000000006F02}9020C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279195Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.976{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FB-62DF-FD04-000000006F02}9020C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279194Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.976{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FB-62DF-FD04-000000006F02}9020C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279193Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.976{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3FB-62DF-0505-000000006F02}9180C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279192Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.960{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FB-62DF-F904-000000006F02}8904C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279191Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.960{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FB-62DF-F904-000000006F02}8904C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279190Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.960{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FB-62DF-F904-000000006F02}8904C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279189Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.960{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FB-62DF-F904-000000006F02}8904C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279188Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.960{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FB-62DF-0605-000000006F02}9232C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279187Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.960{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FB-62DF-0605-000000006F02}9232C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279186Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.960{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FB-62DF-0605-000000006F02}9232C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279185Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.960{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FB-62DF-0605-000000006F02}9232C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279184Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.960{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3FB-62DF-0505-000000006F02}9180C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279183Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.960{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3FB-62DF-0405-000000006F02}8256C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279182Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.944{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3FB-62DF-0405-000000006F02}8256C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279181Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.929{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FB-62DF-0505-000000006F02}9180C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279180Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.929{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FB-62DF-0505-000000006F02}9180C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279179Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.929{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FB-62DF-0505-000000006F02}9180C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279178Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.929{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FB-62DF-0505-000000006F02}9180C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279177Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.924{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3FB-62DF-0305-000000006F02}8552C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279176Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.907{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FB-62DF-0405-000000006F02}8256C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279175Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.907{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FB-62DF-0405-000000006F02}8256C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279174Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.907{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FB-62DF-0405-000000006F02}8256C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279173Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.907{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FB-62DF-0405-000000006F02}8256C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000279172Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.907{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0944A9018660D55BC3F8CEC53CAC8842,SHA256=1A83C5251B539CEB67353E4C9D4FC9F6B192BC7F59BCFFF587DAC7D37136B7D1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000279171Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.891{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3FB-62DF-0305-000000006F02}8552C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279170Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.876{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3FB-62DF-0205-000000006F02}9208C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279169Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.876{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FB-62DF-F604-000000006F02}8804C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279168Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.876{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FB-62DF-F604-000000006F02}8804C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279167Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.876{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FB-62DF-F604-000000006F02}8804C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279166Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.876{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FB-62DF-F604-000000006F02}8804C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279165Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.860{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3FB-62DF-0205-000000006F02}9208C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279164Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.860{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-F104-000000006F02}8692C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279163Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.860{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-F104-000000006F02}8692C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279162Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.860{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-F104-000000006F02}8692C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279161Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.860{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-F104-000000006F02}8692C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279160Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.860{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FB-62DF-FE04-000000006F02}9048C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279159Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.860{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FB-62DF-FE04-000000006F02}9048C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279158Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.860{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FB-62DF-FE04-000000006F02}9048C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279157Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.860{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FB-62DF-FE04-000000006F02}9048C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279156Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.844{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3FB-62DF-0105-000000006F02}9160C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000279155Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.844{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9FC92B49440C47DA5D11F06313C8E5CA,SHA256=B11EE72131EEBF6F9954D26F3E09665948D3FC0BBCC4C2782E794547D5AE0FEC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000279154Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.829{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3FB-62DF-0105-000000006F02}9160C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279153Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.829{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-F3FB-62DF-0605-000000006F02}9232C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279152Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.827{F81F30E6-D98B-62DF-3600-000000006F02}31323152C:\Windows\system32\conhost.exe{F81F30E6-F3FB-62DF-0705-000000006F02}9304C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279151Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.825{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279150Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.825{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279149Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.825{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279148Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.825{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279147Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.825{F81F30E6-D97A-62DF-0500-000000006F02}41292C:\Windows\system32\csrss.exe{F81F30E6-F3FB-62DF-0705-000000006F02}9304C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000279146Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.824{F81F30E6-D98A-62DF-2E00-000000006F02}27803956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F81F30E6-F3FB-62DF-0705-000000006F02}9304C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000053442Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:35.356{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B94455F84615029FBBD46C460ED454CB,SHA256=7150F2525C650C3AA029576735CED2A310802F76C3A7C2F239639D27DC3A9B24,IMPHASH=00000000000000000000000000000000falsetrue 154100x8000000000000000279145Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.824{F81F30E6-F3FB-62DF-0705-000000006F02}9304C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F81F30E6-D97A-62DF-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000279144Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.807{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3FB-62DF-0005-000000006F02}9112C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279143Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.791{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-F3FB-62DF-0505-000000006F02}9180C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279142Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.791{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3FB-62DF-0005-000000006F02}9112C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279141Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.776{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FB-62DF-FA04-000000006F02}8952C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279140Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.776{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FB-62DF-FA04-000000006F02}8952C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279139Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.776{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FB-62DF-FA04-000000006F02}8952C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279138Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.776{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FB-62DF-FA04-000000006F02}8952C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279137Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.760{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279136Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.760{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-EE04-000000006F02}8600C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279135Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.760{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-F3FB-62DF-0405-000000006F02}8256C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279134Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.760{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-EE04-000000006F02}8600C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279133Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.760{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-EE04-000000006F02}8600C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279132Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.760{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-EE04-000000006F02}8600C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279131Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.745{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279130Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.745{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279129Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.745{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279128Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.745{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3FB-62DF-FD04-000000006F02}9020C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279127Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.729{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FB-62DF-F704-000000006F02}8864C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279126Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.729{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FB-62DF-F704-000000006F02}8864C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279125Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.729{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FB-62DF-F704-000000006F02}8864C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279124Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.729{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FB-62DF-F704-000000006F02}8864C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279123Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.729{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3FB-62DF-FD04-000000006F02}9020C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279122Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.729{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F3FB-62DF-0605-000000006F02}9232C:\Windows\system32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279121Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.729{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F3FB-62DF-0605-000000006F02}9232C:\Windows\system32\notepad.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279120Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.728{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-EB04-000000006F02}8508C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279119Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.728{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-EB04-000000006F02}8508C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279118Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.728{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-EB04-000000006F02}8508C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279117Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.727{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-EB04-000000006F02}8508C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279116Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.707{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-F3FB-62DF-0305-000000006F02}8552C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279115Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.692{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279114Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.692{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279113Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.692{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279112Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.692{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279111Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.692{F81F30E6-D9BA-62DF-8100-000000006F02}38884056C:\Windows\system32\csrss.exe{F81F30E6-F3FB-62DF-0605-000000006F02}9232C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000279110Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.692{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3FB-62DF-F904-000000006F02}8904C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279109Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.692{F81F30E6-F3FB-62DF-FE04-000000006F02}90489052C:\Windows\system32\cmd.exe{F81F30E6-F3FB-62DF-0605-000000006F02}9232C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8564|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000279108Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.699{F81F30E6-F3FB-62DF-0605-000000006F02}9232C:\Windows\System32\notepad.exe10.0.14393.4169 (rs1_release.210107-1130)NotepadMicrosoft® Windows® Operating SystemMicrosoft CorporationNOTEPAD.EXEnotepad.exe C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=BA78FCF8CA9D806C6C047357E31748DE,SHA256=34A07759492E31AEC2A009505FE8DFB50242375C4308AD4657B2872F4F75A077,IMPHASH=968239BE2020F1C0DAFFDCDBD49E9C82{F81F30E6-F3FB-62DF-FE04-000000006F02}9048C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" " 10341000x8000000000000000279107Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.692{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3FB-62DF-0605-000000006F02}9232C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279106Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.692{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3FB-62DF-F604-000000006F02}8804C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279105Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.676{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F3FB-62DF-0505-000000006F02}9180C:\Windows\system32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279104Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.676{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F3FB-62DF-0505-000000006F02}9180C:\Windows\system32\notepad.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279103Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.660{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3FB-62DF-F904-000000006F02}8904C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279102Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.660{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3FB-62DF-F604-000000006F02}8804C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279101Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.645{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279100Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.645{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279099Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.645{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279098Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.645{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279097Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.645{F81F30E6-D9BA-62DF-8100-000000006F02}38884056C:\Windows\system32\csrss.exe{F81F30E6-F3FB-62DF-0505-000000006F02}9180C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000279096Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.645{F81F30E6-F3FB-62DF-FA04-000000006F02}89528956C:\Windows\system32\cmd.exe{F81F30E6-F3FB-62DF-0505-000000006F02}9180C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8564|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000279095Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.649{F81F30E6-F3FB-62DF-0505-000000006F02}9180C:\Windows\System32\notepad.exe10.0.14393.4169 (rs1_release.210107-1130)NotepadMicrosoft® Windows® Operating SystemMicrosoft CorporationNOTEPAD.EXEnotepad.exe C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=BA78FCF8CA9D806C6C047357E31748DE,SHA256=34A07759492E31AEC2A009505FE8DFB50242375C4308AD4657B2872F4F75A077,IMPHASH=968239BE2020F1C0DAFFDCDBD49E9C82{F81F30E6-F3FB-62DF-FA04-000000006F02}8952C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" " 10341000x8000000000000000279094Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.645{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3FB-62DF-0505-000000006F02}9180C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279093Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.645{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-F3FB-62DF-0205-000000006F02}9208C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279092Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.629{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F3FB-62DF-0405-000000006F02}8256C:\Windows\system32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279091Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.629{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F3FB-62DF-0405-000000006F02}8256C:\Windows\system32\notepad.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000279090Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.629{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D2DA3B3912D16AEE669C628952F85BE2,SHA256=F47950038A0EEB119CCA2CEBAAF6150FCE4FEAA350DAD0AB4BAF2F02D485CFFB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000279089Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.626{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E31BB7D8B25AC5CDD46694ED3C7B1EF,SHA256=3E610AE936EE60F27E4BCCEA52FC30C8365D2C35C5F3B1002957FE23B20FFAF2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000279088Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.592{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279087Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.592{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279086Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.592{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279085Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.592{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279084Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.592{F81F30E6-D9BA-62DF-8100-000000006F02}38882172C:\Windows\system32\csrss.exe{F81F30E6-F3FB-62DF-0405-000000006F02}8256C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000279083Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.592{F81F30E6-F3FB-62DF-F704-000000006F02}88648868C:\Windows\system32\cmd.exe{F81F30E6-F3FB-62DF-0405-000000006F02}8256C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8564|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000279082Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.604{F81F30E6-F3FB-62DF-0405-000000006F02}8256C:\Windows\System32\notepad.exe10.0.14393.4169 (rs1_release.210107-1130)NotepadMicrosoft® Windows® Operating SystemMicrosoft CorporationNOTEPAD.EXEnotepad.exe C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=BA78FCF8CA9D806C6C047357E31748DE,SHA256=34A07759492E31AEC2A009505FE8DFB50242375C4308AD4657B2872F4F75A077,IMPHASH=968239BE2020F1C0DAFFDCDBD49E9C82{F81F30E6-F3FB-62DF-F704-000000006F02}8864C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" " 10341000x8000000000000000279081Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.592{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3FB-62DF-0405-000000006F02}8256C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279080Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.592{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-F404-000000006F02}8780C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279079Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.592{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-F404-000000006F02}8780C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279078Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.592{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-F404-000000006F02}8780C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279077Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.592{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-F404-000000006F02}8780C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279076Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.576{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-F3FB-62DF-0105-000000006F02}9160C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279075Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.576{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-E804-000000006F02}8420C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279074Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.576{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-E804-000000006F02}8420C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279073Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.576{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-E804-000000006F02}8420C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279072Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.576{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F3FB-62DF-0305-000000006F02}8552C:\Windows\system32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279071Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.576{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F3FB-62DF-0305-000000006F02}8552C:\Windows\system32\notepad.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279070Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.576{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-E804-000000006F02}8420C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279069Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.560{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3FA-62DF-F104-000000006F02}8692C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279068Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.560{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279067Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.560{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279066Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.560{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279065Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.560{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279064Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.545{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FB-62DF-F604-000000006F02}8804C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279063Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.545{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FB-62DF-F604-000000006F02}8804C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279062Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.545{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FB-62DF-F604-000000006F02}8804C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279061Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.545{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FB-62DF-F604-000000006F02}8804C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279060Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.545{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-F204-000000006F02}8716C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279059Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.545{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-F204-000000006F02}8716C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279058Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.545{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-F204-000000006F02}8716C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279057Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.545{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-F204-000000006F02}8716C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279056Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.545{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3FB-62DF-FF04-000000006F02}9056C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279055Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.529{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279054Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.529{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279053Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.529{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279052Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.529{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279051Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.529{F81F30E6-D9BA-62DF-8100-000000006F02}38884056C:\Windows\system32\csrss.exe{F81F30E6-F3FB-62DF-0305-000000006F02}8552C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000279050Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.529{F81F30E6-F3FA-62DF-F404-000000006F02}87808784C:\Windows\system32\cmd.exe{F81F30E6-F3FB-62DF-0305-000000006F02}8552C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8564|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000279049Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.540{F81F30E6-F3FB-62DF-0305-000000006F02}8552C:\Windows\System32\notepad.exe10.0.14393.4169 (rs1_release.210107-1130)NotepadMicrosoft® Windows® Operating SystemMicrosoft CorporationNOTEPAD.EXEnotepad.exe C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=BA78FCF8CA9D806C6C047357E31748DE,SHA256=34A07759492E31AEC2A009505FE8DFB50242375C4308AD4657B2872F4F75A077,IMPHASH=968239BE2020F1C0DAFFDCDBD49E9C82{F81F30E6-F3FA-62DF-F404-000000006F02}8780C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" " 10341000x8000000000000000279048Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.529{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3FB-62DF-0305-000000006F02}8552C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279047Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.529{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3FA-62DF-F104-000000006F02}8692C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279046Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.527{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3FB-62DF-FF04-000000006F02}9056C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279045Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.507{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-F3FB-62DF-0005-000000006F02}9112C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279044Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.507{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3FB-62DF-FB04-000000006F02}8960C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279043Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.492{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F3FB-62DF-0205-000000006F02}9208C:\Windows\system32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279042Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.492{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F3FB-62DF-0205-000000006F02}9208C:\Windows\system32\notepad.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279041Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.492{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3FA-62DF-EE04-000000006F02}8600C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279040Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.476{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3FB-62DF-FB04-000000006F02}8960C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279039Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.461{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-F104-000000006F02}8692C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279038Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.461{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-F104-000000006F02}8692C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279037Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.461{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-F104-000000006F02}8692C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279036Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.461{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-F104-000000006F02}8692C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279035Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.461{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279034Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.461{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279033Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.461{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279032Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.461{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279031Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.461{F81F30E6-D9BA-62DF-8100-000000006F02}38884516C:\Windows\system32\csrss.exe{F81F30E6-F3FB-62DF-0205-000000006F02}9208C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000279030Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.461{F81F30E6-F3FA-62DF-F204-000000006F02}87168720C:\Windows\system32\cmd.exe{F81F30E6-F3FB-62DF-0205-000000006F02}9208C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8564|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000279029Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.471{F81F30E6-F3FB-62DF-0205-000000006F02}9208C:\Windows\System32\notepad.exe10.0.14393.4169 (rs1_release.210107-1130)NotepadMicrosoft® Windows® Operating SystemMicrosoft CorporationNOTEPAD.EXEnotepad.exe C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=BA78FCF8CA9D806C6C047357E31748DE,SHA256=34A07759492E31AEC2A009505FE8DFB50242375C4308AD4657B2872F4F75A077,IMPHASH=968239BE2020F1C0DAFFDCDBD49E9C82{F81F30E6-F3FA-62DF-F204-000000006F02}8716C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" " 10341000x8000000000000000279028Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.461{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3FB-62DF-0205-000000006F02}9208C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279027Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.461{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3FB-62DF-F804-000000006F02}8872C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279026Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.445{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3FA-62DF-EE04-000000006F02}8600C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279025Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.445{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FB-62DF-FF04-000000006F02}9056C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279024Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.445{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FB-62DF-FF04-000000006F02}9056C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279023Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.445{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FB-62DF-FF04-000000006F02}9056C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279022Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.445{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FB-62DF-FF04-000000006F02}9056C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000279021Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.445{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C48271FB219FD5CBD639D245BDB8C39,SHA256=86D2320D12B8537B8A5ABD3827601EF07F22670C0C403D4555F620CCE91576B7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000279020Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.429{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3FB-62DF-F804-000000006F02}8872C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279019Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.429{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-F3FB-62DF-FD04-000000006F02}9020C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279018Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.429{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F3FB-62DF-0105-000000006F02}9160C:\Windows\system32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279017Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.429{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F3FB-62DF-0105-000000006F02}9160C:\Windows\system32\notepad.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279016Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.429{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-E504-000000006F02}8328C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279015Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.429{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-E504-000000006F02}8328C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279014Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.429{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-E504-000000006F02}8328C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279013Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.429{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3FA-62DF-EB04-000000006F02}8508C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279012Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.429{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-E504-000000006F02}8328C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279011Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.408{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-EF04-000000006F02}8624C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279010Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.408{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-EF04-000000006F02}8624C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279009Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.408{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-EF04-000000006F02}8624C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279008Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.408{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-EF04-000000006F02}8624C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279007Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.408{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FB-62DF-FB04-000000006F02}8960C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279006Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.408{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FB-62DF-FB04-000000006F02}8960C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279005Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.408{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FB-62DF-FB04-000000006F02}8960C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279004Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.408{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FB-62DF-FB04-000000006F02}8960C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279003Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.392{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-EE04-000000006F02}8600C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279002Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.392{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-EE04-000000006F02}8600C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279001Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.392{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-EE04-000000006F02}8600C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279000Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.392{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-EE04-000000006F02}8600C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278999Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.392{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278998Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.392{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278997Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.392{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278996Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.392{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278995Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.392{F81F30E6-D9BA-62DF-8100-000000006F02}38884516C:\Windows\system32\csrss.exe{F81F30E6-F3FB-62DF-0105-000000006F02}9160C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000278994Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.392{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3FB-62DF-0105-000000006F02}9160C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278993Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.392{F81F30E6-F3FA-62DF-EF04-000000006F02}86248628C:\Windows\system32\cmd.exe{F81F30E6-F3FB-62DF-0105-000000006F02}9160C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8564|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000278992Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.398{F81F30E6-F3FB-62DF-0105-000000006F02}9160C:\Windows\System32\notepad.exe10.0.14393.4169 (rs1_release.210107-1130)NotepadMicrosoft® Windows® Operating SystemMicrosoft CorporationNOTEPAD.EXEnotepad.exe C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=BA78FCF8CA9D806C6C047357E31748DE,SHA256=34A07759492E31AEC2A009505FE8DFB50242375C4308AD4657B2872F4F75A077,IMPHASH=968239BE2020F1C0DAFFDCDBD49E9C82{F81F30E6-F3FA-62DF-EF04-000000006F02}8624C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" " 10341000x8000000000000000278991Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.392{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3FA-62DF-EB04-000000006F02}8508C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278990Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.376{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3FB-62DF-F504-000000006F02}8796C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278989Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.361{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F3FB-62DF-0005-000000006F02}9112C:\Windows\system32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278988Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.361{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F3FB-62DF-0005-000000006F02}9112C:\Windows\system32\notepad.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278987Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.361{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-F3FB-62DF-F904-000000006F02}8904C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278986Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.345{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3FB-62DF-F504-000000006F02}8796C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278985Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.345{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278984Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.345{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278983Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.345{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278982Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.345{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278981Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.329{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FB-62DF-F804-000000006F02}8872C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278980Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.329{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FB-62DF-F804-000000006F02}8872C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278979Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.329{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FB-62DF-F804-000000006F02}8872C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278978Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.329{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FB-62DF-F804-000000006F02}8872C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278977Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.329{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3FA-62DF-E804-000000006F02}8420C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278976Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.308{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-EB04-000000006F02}8508C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278975Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.308{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-EB04-000000006F02}8508C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278974Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.308{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-EB04-000000006F02}8508C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278973Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.308{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-EB04-000000006F02}8508C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278972Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.308{F81F30E6-D9BA-62DF-8100-000000006F02}38882172C:\Windows\system32\csrss.exe{F81F30E6-F3FB-62DF-0005-000000006F02}9112C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000278971Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.308{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278970Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.308{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278969Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.308{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278968Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.308{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278967Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.292{F81F30E6-F3FA-62DF-EC04-000000006F02}85368540C:\Windows\system32\cmd.exe{F81F30E6-F3FB-62DF-0005-000000006F02}9112C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8564|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000278966Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.307{F81F30E6-F3FB-62DF-0005-000000006F02}9112C:\Windows\System32\notepad.exe10.0.14393.4169 (rs1_release.210107-1130)NotepadMicrosoft® Windows® Operating SystemMicrosoft CorporationNOTEPAD.EXEnotepad.exe C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=BA78FCF8CA9D806C6C047357E31748DE,SHA256=34A07759492E31AEC2A009505FE8DFB50242375C4308AD4657B2872F4F75A077,IMPHASH=968239BE2020F1C0DAFFDCDBD49E9C82{F81F30E6-F3FA-62DF-EC04-000000006F02}8536C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" " 10341000x8000000000000000278965Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.292{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3FB-62DF-0005-000000006F02}9112C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000278964Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.292{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6607AA6D19D3728C3C98A1B9049993B6,SHA256=6785DBEB411ECBC3134A0648E5A41C2763B97D4FFDD3A73C826AED838B412273,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000278963Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.276{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-EC04-000000006F02}8536C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278962Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.276{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-EC04-000000006F02}8536C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278961Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.276{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-EC04-000000006F02}8536C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278960Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.276{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-EC04-000000006F02}8536C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278959Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.276{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3FA-62DF-F304-000000006F02}8724C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278958Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.276{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3FA-62DF-E804-000000006F02}8420C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278957Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.276{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F3FB-62DF-FF04-000000006F02}9056C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278956Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.276{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F3FB-62DF-FF04-000000006F02}9056C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278955Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.261{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-E104-000000006F02}8224C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278954Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.261{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-E104-000000006F02}8224C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278953Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.261{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-E104-000000006F02}8224C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278952Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.261{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-E104-000000006F02}8224C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278951Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.261{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-F3FB-62DF-F604-000000006F02}8804C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278950Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.261{F81F30E6-F3FB-62DF-FF04-000000006F02}90569080C:\Windows\system32\conhost.exe{F81F30E6-F3FB-62DF-FE04-000000006F02}9048C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278949Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.245{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FB-62DF-F504-000000006F02}8796C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278948Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.245{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FB-62DF-F504-000000006F02}8796C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278947Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.245{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FB-62DF-F504-000000006F02}8796C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278946Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.245{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FB-62DF-F504-000000006F02}8796C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278945Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.230{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3FA-62DF-F304-000000006F02}8724C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278944Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.230{F81F30E6-D9BA-62DF-8100-000000006F02}38884056C:\Windows\system32\csrss.exe{F81F30E6-F3FB-62DF-FF04-000000006F02}9056C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000278943Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.230{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3FB-62DF-FF04-000000006F02}9056C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278942Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.227{F81F30E6-D9BA-62DF-8100-000000006F02}38884516C:\Windows\system32\csrss.exe{F81F30E6-F3FB-62DF-FE04-000000006F02}9048C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000278941Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.227{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278940Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.227{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278939Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.226{F81F30E6-F163-62DF-1F04-000000006F02}22649008C:\Temp\dcrat.exe{F81F30E6-F3FB-62DF-FE04-000000006F02}9048C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\System32\windows.storage.dll+16e7eb|C:\Windows\System32\windows.storage.dll+16e501|C:\Windows\System32\windows.storage.dll+16e14e|C:\Windows\System32\windows.storage.dll+16f3f0|C:\Windows\System32\windows.storage.dll+16de9e|C:\Windows\System32\windows.storage.dll+fce6d|C:\Windows\System32\windows.storage.dll+fd5ac|C:\Windows\System32\windows.storage.dll+fc910|C:\Windows\System32\shell32.dll+49cdf|C:\Windows\System32\shell32.dll+49b6c|C:\Windows\System32\shell32.dll+498bc|C:\Windows\System32\shell32.dll+10d2c7|C:\Windows\System32\shell32.dll+10d225|UNKNOWN(00007FF984B29B5F) 10341000x8000000000000000278938Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.227{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278937Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.227{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000278936Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.226{F81F30E6-F3FB-62DF-FE04-000000006F02}9048C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" "C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe"C:\Temp\dcrat.exe" 10341000x8000000000000000278935Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.226{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3FB-62DF-FE04-000000006F02}9048C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278934Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.208{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F3FB-62DF-FD04-000000006F02}9020C:\Windows\system32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278933Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.208{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F3FB-62DF-FD04-000000006F02}9020C:\Windows\system32\notepad.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278932Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.192{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F3FB-62DF-FB04-000000006F02}8960C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278931Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.192{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F3FB-62DF-FB04-000000006F02}8960C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278930Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.192{F81F30E6-DE12-62DF-7B01-000000006F02}62606312C:\Users\Administrator\Downloads\dnSpy.exe{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00007FF972E3853B) 10341000x8000000000000000278929Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.177{F81F30E6-F3FB-62DF-FB04-000000006F02}89609032C:\Windows\system32\conhost.exe{F81F30E6-F3FB-62DF-FA04-000000006F02}8952C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278928Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.177{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-E804-000000006F02}8420C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278927Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.161{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-E804-000000006F02}8420C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278926Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.161{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-E804-000000006F02}8420C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278925Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.161{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-E804-000000006F02}8420C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278924Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.161{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3FA-62DF-E504-000000006F02}8328C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278923Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.161{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278922Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.161{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278921Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.161{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278920Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.161{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278919Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.161{F81F30E6-D9BA-62DF-8100-000000006F02}38882172C:\Windows\system32\csrss.exe{F81F30E6-F3FB-62DF-FD04-000000006F02}9020C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000278918Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.161{F81F30E6-F3FA-62DF-E904-000000006F02}84608464C:\Windows\system32\cmd.exe{F81F30E6-F3FB-62DF-FD04-000000006F02}9020C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8564|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000278917Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.170{F81F30E6-F3FB-62DF-FD04-000000006F02}9020C:\Windows\System32\notepad.exe10.0.14393.4169 (rs1_release.210107-1130)NotepadMicrosoft® Windows® Operating SystemMicrosoft CorporationNOTEPAD.EXEnotepad.exe C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=BA78FCF8CA9D806C6C047357E31748DE,SHA256=34A07759492E31AEC2A009505FE8DFB50242375C4308AD4657B2872F4F75A077,IMPHASH=968239BE2020F1C0DAFFDCDBD49E9C82{F81F30E6-F3FA-62DF-E904-000000006F02}8460C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" " 10341000x8000000000000000278916Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.161{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3FB-62DF-FD04-000000006F02}9020C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278915Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.145{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3FA-62DF-F004-000000006F02}8632C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278914Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.145{F81F30E6-D98B-62DF-3600-000000006F02}31323152C:\Windows\system32\conhost.exe{F81F30E6-F3FB-62DF-FC04-000000006F02}8980C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278913Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.145{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278912Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.145{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278911Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.145{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278910Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.145{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278909Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.145{F81F30E6-D97A-62DF-0500-000000006F02}41292C:\Windows\system32\csrss.exe{F81F30E6-F3FB-62DF-FC04-000000006F02}8980C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000278908Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.145{F81F30E6-D98A-62DF-2E00-000000006F02}27803956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F81F30E6-F3FB-62DF-FC04-000000006F02}8980C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000278907Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.149{F81F30E6-F3FB-62DF-FC04-000000006F02}8980C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F81F30E6-D97A-62DF-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000278906Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.145{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C34C4ECDEE3CB1090CDEC79140D18067,SHA256=6DE4DCE206DEB70179401FBFDD55D0F41F0432DE68DCB7963303DB1D05FAF77D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000278905Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.130{F81F30E6-D9BA-62DF-8100-000000006F02}38884516C:\Windows\system32\csrss.exe{F81F30E6-F3FB-62DF-FB04-000000006F02}8960C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000278904Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.130{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3FB-62DF-FB04-000000006F02}8960C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278903Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.130{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278902Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.130{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278901Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.130{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278900Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.130{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278899Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.130{F81F30E6-D9BA-62DF-8100-000000006F02}38884056C:\Windows\system32\csrss.exe{F81F30E6-F3FB-62DF-FA04-000000006F02}8952C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000278898Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.130{F81F30E6-F163-62DF-1F04-000000006F02}22648900C:\Temp\dcrat.exe{F81F30E6-F3FB-62DF-FA04-000000006F02}8952C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\System32\windows.storage.dll+16e7eb|C:\Windows\System32\windows.storage.dll+16e501|C:\Windows\System32\windows.storage.dll+16e14e|C:\Windows\System32\windows.storage.dll+16f3f0|C:\Windows\System32\windows.storage.dll+16de9e|C:\Windows\System32\windows.storage.dll+fce6d|C:\Windows\System32\windows.storage.dll+fd5ac|C:\Windows\System32\windows.storage.dll+fc910|C:\Windows\System32\shell32.dll+49cdf|C:\Windows\System32\shell32.dll+49b6c|C:\Windows\System32\shell32.dll+498bc|C:\Windows\System32\shell32.dll+10d2c7|C:\Windows\System32\shell32.dll+10d225|UNKNOWN(00007FF984B29B5F) 154100x8000000000000000278897Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.138{F81F30E6-F3FB-62DF-FA04-000000006F02}8952C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" "C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe"C:\Temp\dcrat.exe" 10341000x8000000000000000278896Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.130{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3FB-62DF-FA04-000000006F02}8952C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278895Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.130{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3FA-62DF-E504-000000006F02}8328C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278894Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.130{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-F304-000000006F02}8724C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278893Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.130{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-F3FA-62DF-F104-000000006F02}8692C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278892Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.130{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-F304-000000006F02}8724C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278891Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.130{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-F304-000000006F02}8724C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278890Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.130{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-F304-000000006F02}8724C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278889Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.129{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F3FB-62DF-F904-000000006F02}8904C:\Windows\system32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278888Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.129{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F3FB-62DF-F904-000000006F02}8904C:\Windows\system32\notepad.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278887Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.125{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3FA-62DF-F004-000000006F02}8632C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000278886Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.108{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD28056C01EF07C7E46AC0648E2DCA3D,SHA256=FFD6D42D5A4530D4407DE3936E98129548259405A16445D9EA8EBFC9B5C9B2EC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000278885Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.108{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F3FB-62DF-F804-000000006F02}8872C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278884Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.108{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F3FB-62DF-F804-000000006F02}8872C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278883Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.092{F81F30E6-F3FB-62DF-F804-000000006F02}88728924C:\Windows\system32\conhost.exe{F81F30E6-F3FB-62DF-F704-000000006F02}8864C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278882Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.092{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278881Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.092{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278880Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.092{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278879Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.092{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278878Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.092{F81F30E6-D9BA-62DF-8100-000000006F02}38884516C:\Windows\system32\csrss.exe{F81F30E6-F3FB-62DF-F904-000000006F02}8904C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000278877Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.092{F81F30E6-F3FA-62DF-E604-000000006F02}83688372C:\Windows\system32\cmd.exe{F81F30E6-F3FB-62DF-F904-000000006F02}8904C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8564|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000278876Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.094{F81F30E6-F3FB-62DF-F904-000000006F02}8904C:\Windows\System32\notepad.exe10.0.14393.4169 (rs1_release.210107-1130)NotepadMicrosoft® Windows® Operating SystemMicrosoft CorporationNOTEPAD.EXEnotepad.exe C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=BA78FCF8CA9D806C6C047357E31748DE,SHA256=34A07759492E31AEC2A009505FE8DFB50242375C4308AD4657B2872F4F75A077,IMPHASH=968239BE2020F1C0DAFFDCDBD49E9C82{F81F30E6-F3FA-62DF-E604-000000006F02}8368C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" " 10341000x8000000000000000278875Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.092{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3FB-62DF-F904-000000006F02}8904C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278874Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.077{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3FA-62DF-ED04-000000006F02}8548C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278873Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.077{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-E904-000000006F02}8460C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278872Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.077{F81F30E6-D9BA-62DF-8100-000000006F02}38882172C:\Windows\system32\csrss.exe{F81F30E6-F3FB-62DF-F804-000000006F02}8872C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000278871Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.077{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-E904-000000006F02}8460C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278870Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.077{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-E904-000000006F02}8460C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278869Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.077{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-E904-000000006F02}8460C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278868Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.077{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3FB-62DF-F804-000000006F02}8872C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278867Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.077{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278866Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.077{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278865Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.077{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278864Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.077{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278863Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.077{F81F30E6-D9BA-62DF-8100-000000006F02}38882172C:\Windows\system32\csrss.exe{F81F30E6-F3FB-62DF-F704-000000006F02}8864C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000278862Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.077{F81F30E6-F163-62DF-1F04-000000006F02}22648836C:\Temp\dcrat.exe{F81F30E6-F3FB-62DF-F704-000000006F02}8864C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\System32\windows.storage.dll+16e7eb|C:\Windows\System32\windows.storage.dll+16e501|C:\Windows\System32\windows.storage.dll+16e14e|C:\Windows\System32\windows.storage.dll+16f3f0|C:\Windows\System32\windows.storage.dll+16de9e|C:\Windows\System32\windows.storage.dll+fce6d|C:\Windows\System32\windows.storage.dll+fd5ac|C:\Windows\System32\windows.storage.dll+fc910|C:\Windows\System32\shell32.dll+49cdf|C:\Windows\System32\shell32.dll+49b6c|C:\Windows\System32\shell32.dll+498bc|C:\Windows\System32\shell32.dll+10d2c7|C:\Windows\System32\shell32.dll+10d225|UNKNOWN(00007FF984B29B5F) 154100x8000000000000000278861Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.078{F81F30E6-F3FB-62DF-F704-000000006F02}8864C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" "C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe"C:\Temp\dcrat.exe" 10341000x8000000000000000278860Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.077{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3FB-62DF-F704-000000006F02}8864C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278859Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.061{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-DE04-000000006F02}2984C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278858Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.061{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-E504-000000006F02}8328C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278857Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.061{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3FA-62DF-E104-000000006F02}8224C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278856Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.061{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-DE04-000000006F02}2984C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278855Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.061{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-E504-000000006F02}8328C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278854Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.061{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-DE04-000000006F02}2984C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278853Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.061{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-E504-000000006F02}8328C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278852Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.061{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-E504-000000006F02}8328C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278851Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.061{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-DE04-000000006F02}2984C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278850Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.046{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3FA-62DF-ED04-000000006F02}8548C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278849Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.046{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F3FB-62DF-F604-000000006F02}8804C:\Windows\system32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278848Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.046{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F3FB-62DF-F604-000000006F02}8804C:\Windows\system32\notepad.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278847Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.046{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-F004-000000006F02}8632C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278846Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.046{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-F004-000000006F02}8632C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278845Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.046{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-F004-000000006F02}8632C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278844Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.046{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-F004-000000006F02}8632C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278843Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.046{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-F3FA-62DF-EE04-000000006F02}8600C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278842Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.046{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F3FB-62DF-F504-000000006F02}8796C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278841Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.046{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F3FB-62DF-F504-000000006F02}8796C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278840Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.030{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-E604-000000006F02}8368C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278839Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.030{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-E604-000000006F02}8368C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278838Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.030{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-E604-000000006F02}8368C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278837Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.030{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-E604-000000006F02}8368C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278836Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.030{F81F30E6-F3FB-62DF-F504-000000006F02}87968840C:\Windows\system32\conhost.exe{F81F30E6-F3FA-62DF-F404-000000006F02}8780C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278835Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.030{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3FA-62DF-E104-000000006F02}8224C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278834Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.992{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278833Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.992{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278832Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.992{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278831Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.992{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278830Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.992{F81F30E6-D9BA-62DF-8100-000000006F02}38884516C:\Windows\system32\csrss.exe{F81F30E6-F3FB-62DF-F504-000000006F02}8796C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000278829Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.992{F81F30E6-D9BA-62DF-8100-000000006F02}38882172C:\Windows\system32\csrss.exe{F81F30E6-F3FB-62DF-F604-000000006F02}8804C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000278828Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.992{F81F30E6-F3FA-62DF-E304-000000006F02}82848288C:\Windows\system32\cmd.exe{F81F30E6-F3FB-62DF-F604-000000006F02}8804C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8564|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000278827Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.003{F81F30E6-F3FB-62DF-F604-000000006F02}8804C:\Windows\System32\notepad.exe10.0.14393.4169 (rs1_release.210107-1130)NotepadMicrosoft® Windows® Operating SystemMicrosoft CorporationNOTEPAD.EXEnotepad.exe C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=BA78FCF8CA9D806C6C047357E31748DE,SHA256=34A07759492E31AEC2A009505FE8DFB50242375C4308AD4657B2872F4F75A077,IMPHASH=968239BE2020F1C0DAFFDCDBD49E9C82{F81F30E6-F3FA-62DF-E304-000000006F02}8284C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" " 10341000x8000000000000000278826Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.992{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3FB-62DF-F604-000000006F02}8804C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278825Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.992{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3FB-62DF-F504-000000006F02}8796C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278824Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.992{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278823Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.992{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278822Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.992{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278821Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.992{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278820Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.992{F81F30E6-D9BA-62DF-8100-000000006F02}38882172C:\Windows\system32\csrss.exe{F81F30E6-F3FA-62DF-F404-000000006F02}8780C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000278819Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.992{F81F30E6-F163-62DF-1F04-000000006F02}22648744C:\Temp\dcrat.exe{F81F30E6-F3FA-62DF-F404-000000006F02}8780C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\System32\windows.storage.dll+16e7eb|C:\Windows\System32\windows.storage.dll+16e501|C:\Windows\System32\windows.storage.dll+16e14e|C:\Windows\System32\windows.storage.dll+16f3f0|C:\Windows\System32\windows.storage.dll+16de9e|C:\Windows\System32\windows.storage.dll+fce6d|C:\Windows\System32\windows.storage.dll+fd5ac|C:\Windows\System32\windows.storage.dll+fc910|C:\Windows\System32\shell32.dll+49cdf|C:\Windows\System32\shell32.dll+49b6c|C:\Windows\System32\shell32.dll+498bc|C:\Windows\System32\shell32.dll+10d2c7|C:\Windows\System32\shell32.dll+10d225|UNKNOWN(00007FF984B29B5F) 154100x8000000000000000278818Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.998{F81F30E6-F3FA-62DF-F404-000000006F02}8780C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" "C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe"C:\Temp\dcrat.exe" 23542300x8000000000000000279245Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:36.893{F81F30E6-D98A-62DF-2900-000000006F02}2592NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f0cc84e036a5373b\channels\health\respondent-20220726120948-109MD5=369DD308E953FB115558C25A87FA7436,SHA256=F8D888C61BEF90997E9DA9024DED7AC04FA2757575784335A529296D09245F18,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000279244Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:36.875{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279243Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:36.875{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279242Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:36.875{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279241Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:36.875{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279240Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:36.875{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279239Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:36.875{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279238Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:36.875{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279237Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:36.875{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000279236Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:36.392{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0B3FB8FA1819203F0D95A63AD66A102,SHA256=AC4E0A5EE7E58A69D5CBB3F44BC28C561410B8DFB8A4E74B742DCA113D50F355,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000279235Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:36.060{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-F3FB-62DF-0605-000000006F02}9232C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279234Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:36.060{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-F3FB-62DF-0605-000000006F02}9232C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279233Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:36.060{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-F3FB-62DF-0605-000000006F02}9232C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279232Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:36.060{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-F3FB-62DF-0605-000000006F02}9232C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279231Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:36.060{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FB-62DF-0605-000000006F02}9232C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279230Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:36.060{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FB-62DF-0605-000000006F02}9232C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279229Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:36.060{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FB-62DF-0605-000000006F02}9232C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279228Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:36.060{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FB-62DF-0605-000000006F02}9232C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279227Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:36.060{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FB-62DF-0505-000000006F02}9180C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279226Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:36.060{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FB-62DF-0505-000000006F02}9180C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279225Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:36.060{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FB-62DF-0505-000000006F02}9180C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279224Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:36.044{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FB-62DF-0505-000000006F02}9180C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279223Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:36.044{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FB-62DF-0405-000000006F02}8256C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279222Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:36.044{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FB-62DF-0405-000000006F02}8256C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279221Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:36.044{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FB-62DF-0405-000000006F02}8256C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279220Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:36.044{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FB-62DF-0405-000000006F02}8256C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279219Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:36.044{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FB-62DF-0305-000000006F02}8552C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279218Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:36.044{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FB-62DF-0305-000000006F02}8552C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279217Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:36.044{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FB-62DF-0305-000000006F02}8552C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279216Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:36.044{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FB-62DF-0305-000000006F02}8552C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279215Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:36.044{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FB-62DF-0205-000000006F02}9208C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279214Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:36.044{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FB-62DF-0205-000000006F02}9208C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279213Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:36.044{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FB-62DF-0205-000000006F02}9208C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279212Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:36.044{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279211Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:36.044{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FB-62DF-0205-000000006F02}9208C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279210Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:36.044{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FB-62DF-0105-000000006F02}9160C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279209Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:36.044{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279208Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:36.044{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279207Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:36.044{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FB-62DF-0105-000000006F02}9160C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279206Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:36.044{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FB-62DF-0105-000000006F02}9160C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279205Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:36.044{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FB-62DF-0105-000000006F02}9160C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000279204Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:36.044{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A9C8F61DF01CC442373C31F995DDE81,SHA256=4923D30BC02F339117C9769FDC525FF6E8A627640C5A4C4C7D5B12BFEA1B8260,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000279203Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.991{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FB-62DF-0005-000000006F02}9112C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279202Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.991{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FB-62DF-0005-000000006F02}9112C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279201Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.991{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FB-62DF-0005-000000006F02}9112C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279200Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.991{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FB-62DF-0005-000000006F02}9112C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000053443Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:36.449{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6691D697F58F16F35E196ADD3F554F37,SHA256=8279DE149006903D65C0DEF4C1078DB15A76B96243D97A74E8B9004D9B25BEDE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000279248Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:37.907{F81F30E6-D98A-62DF-2900-000000006F02}2592NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f0cc84e036a5373b\channels\health\surveyor-20220726120946-110MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000279247Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:37.543{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43B9714A7C74D584ED93B2AE6156AB49,SHA256=21F099818ADAFB4CD473941DA8C079102BDFF2AFAB136FFC66850D806D086336,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000279246Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.156{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local64968-false10.0.1.12-8000- 23542300x800000000000000053444Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:37.543{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B95FBF2E3DAE7079E5410207509A3021,SHA256=8C53198F4F89BB299B8517130DA2EB74EF600F280F7920096B57AE96329055BF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000279309Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:38.705{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-F3FE-62DF-0A05-000000006F02}9408C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279308Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:38.705{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-F3FE-62DF-0A05-000000006F02}9408C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279307Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:38.705{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-F3FE-62DF-0A05-000000006F02}9408C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279306Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:38.674{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3FE-62DF-0A05-000000006F02}9408C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279305Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:38.674{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3FE-62DF-0A05-000000006F02}9408C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000279304Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:38.658{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3A73B770770CC1B06D872F41DB8A95B,SHA256=FB355A2F92AAEAA981CC4DC3CD44E5D569281DBD3524E91AA9016239CEF595D0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000279303Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:38.643{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-F3FE-62DF-0A05-000000006F02}9408C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279302Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:38.643{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FE-62DF-0A05-000000006F02}9408C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279301Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:38.643{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FE-62DF-0A05-000000006F02}9408C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279300Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:38.643{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FE-62DF-0A05-000000006F02}9408C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279299Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:38.643{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FE-62DF-0A05-000000006F02}9408C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279298Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:38.643{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FE-62DF-0A05-000000006F02}9408C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279297Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:38.643{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FE-62DF-0A05-000000006F02}9408C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279296Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:38.643{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FE-62DF-0A05-000000006F02}9408C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279295Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:38.643{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FE-62DF-0A05-000000006F02}9408C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279294Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:38.627{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-F3FE-62DF-0A05-000000006F02}9408C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279293Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:38.621{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F3FE-62DF-0A05-000000006F02}9408C:\Windows\system32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279292Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:38.605{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F3FE-62DF-0A05-000000006F02}9408C:\Windows\system32\notepad.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279291Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:38.589{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279290Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:38.589{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279289Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:38.589{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279288Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:38.589{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279287Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:38.589{F81F30E6-D9BA-62DF-8100-000000006F02}38882172C:\Windows\system32\csrss.exe{F81F30E6-F3FE-62DF-0A05-000000006F02}9408C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000279286Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:38.589{F81F30E6-F3FE-62DF-0805-000000006F02}93609364C:\Windows\system32\cmd.exe{F81F30E6-F3FE-62DF-0A05-000000006F02}9408C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8564|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000279285Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:38.602{F81F30E6-F3FE-62DF-0A05-000000006F02}9408C:\Windows\System32\notepad.exe10.0.14393.4169 (rs1_release.210107-1130)NotepadMicrosoft® Windows® Operating SystemMicrosoft CorporationNOTEPAD.EXEnotepad.exe C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=BA78FCF8CA9D806C6C047357E31748DE,SHA256=34A07759492E31AEC2A009505FE8DFB50242375C4308AD4657B2872F4F75A077,IMPHASH=968239BE2020F1C0DAFFDCDBD49E9C82{F81F30E6-F3FE-62DF-0805-000000006F02}9360C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" " 10341000x8000000000000000279284Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:38.589{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3FE-62DF-0A05-000000006F02}9408C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279283Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:38.589{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279282Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:38.589{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279281Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:38.589{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279280Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:38.589{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279279Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:38.589{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279278Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:38.589{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279277Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:38.589{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279276Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:38.589{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279275Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:38.576{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-F3FE-62DF-0805-000000006F02}9360C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279274Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:38.576{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-F3FE-62DF-0805-000000006F02}9360C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279273Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:38.576{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-F3FE-62DF-0805-000000006F02}9360C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279272Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:38.576{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3FE-62DF-0905-000000006F02}9368C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279271Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:38.558{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3FE-62DF-0905-000000006F02}9368C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279270Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:38.558{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-F3FE-62DF-0805-000000006F02}9360C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279269Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:38.558{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FE-62DF-0805-000000006F02}9360C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279268Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:38.558{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FE-62DF-0805-000000006F02}9360C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279267Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:38.558{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FE-62DF-0805-000000006F02}9360C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279266Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:38.558{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FE-62DF-0805-000000006F02}9360C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279265Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:38.558{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FE-62DF-0905-000000006F02}9368C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279264Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:38.558{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FE-62DF-0905-000000006F02}9368C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279263Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:38.558{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FE-62DF-0905-000000006F02}9368C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279262Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:38.558{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FE-62DF-0905-000000006F02}9368C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279261Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:38.543{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F3FE-62DF-0905-000000006F02}9368C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279260Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:38.543{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F3FE-62DF-0905-000000006F02}9368C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279259Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:38.543{F81F30E6-F3FE-62DF-0905-000000006F02}93689388C:\Windows\system32\conhost.exe{F81F30E6-F3FE-62DF-0805-000000006F02}9360C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279258Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:38.527{F81F30E6-D9BA-62DF-8100-000000006F02}38884516C:\Windows\system32\csrss.exe{F81F30E6-F3FE-62DF-0905-000000006F02}9368C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000279257Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:38.527{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3FE-62DF-0905-000000006F02}9368C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279256Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:38.527{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279255Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:38.527{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279254Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:38.527{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279253Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:38.527{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279252Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:38.527{F81F30E6-D9BA-62DF-8100-000000006F02}38882172C:\Windows\system32\csrss.exe{F81F30E6-F3FE-62DF-0805-000000006F02}9360C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000279251Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:38.527{F81F30E6-F163-62DF-1F04-000000006F02}22649356C:\Temp\dcrat.exe{F81F30E6-F3FE-62DF-0805-000000006F02}9360C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\System32\windows.storage.dll+16e7eb|C:\Windows\System32\windows.storage.dll+16e501|C:\Windows\System32\windows.storage.dll+16e14e|C:\Windows\System32\windows.storage.dll+16f3f0|C:\Windows\System32\windows.storage.dll+16de9e|C:\Windows\System32\windows.storage.dll+fce6d|C:\Windows\System32\windows.storage.dll+fd5ac|C:\Windows\System32\windows.storage.dll+fc910|C:\Windows\System32\shell32.dll+49cdf|C:\Windows\System32\shell32.dll+49b6c|C:\Windows\System32\shell32.dll+498bc|C:\Windows\System32\shell32.dll+10d2c7|C:\Windows\System32\shell32.dll+10d225|UNKNOWN(00007FF984B29B5F) 154100x8000000000000000279250Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:38.535{F81F30E6-F3FE-62DF-0805-000000006F02}9360C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" "C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe"C:\Temp\dcrat.exe" 10341000x8000000000000000279249Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:38.527{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3FE-62DF-0805-000000006F02}9360C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000053445Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:38.637{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=837F674E92AA4A9428BBAB3144B41469,SHA256=40A824923C87C4FB8683488CF24F44F103326C3C08895069E77751D5147FE7D0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000279317Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:39.842{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279316Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:39.842{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279315Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:39.842{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279314Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:39.842{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279313Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:39.842{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279312Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:39.842{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279311Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:39.842{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279310Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:39.842{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000053446Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:39.731{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D341CF8A5F72B68A71AF9A0447ECE8FC,SHA256=1A0F62F6F7EFA20CFD80E29F8BE61EFA963DD611D58B4E0967D5ADE45BF4C99D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053448Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:40.824{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC13CA625731590C48C8B27BFDA181E1,SHA256=49A48B0339AB63F23CA25B58D8A0085A1E670648672C271A6B6E058BC730E690,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000279319Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:40.972{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA700F7F2095E4FDB80009802754AE79,SHA256=98A1BB971173C31E4A572254657EF1FD76441083654AEAA3F9FEFD45A4D73D5A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000279318Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:40.104{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C53489EE9E960F1F71F23F9F40BD0353,SHA256=0E01A1BA72FF7C7FD644914AEFEB67C27D2D1690034D1399CF4D5DF5EFFB51CB,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000053447Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:39.177{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal51036-false10.0.1.12-8000- 23542300x800000000000000053449Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:41.918{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3B58A2C7135518EFE0C79D7152570BA,SHA256=91F16108C2D738CC26046FFF66725CAC6611AC3AEBC21CE805865A1EB07F0F05,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000279571Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.989{F81F30E6-F401-62DF-2205-000000006F02}1001210040C:\Windows\system32\conhost.exe{F81F30E6-F401-62DF-2105-000000006F02}10004C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279570Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.973{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-1905-000000006F02}9792C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279569Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.973{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-1905-000000006F02}9792C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279568Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.973{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-1905-000000006F02}9792C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279567Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.973{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-1905-000000006F02}9792C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279566Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.973{F81F30E6-D9BA-62DF-8100-000000006F02}38884056C:\Windows\system32\csrss.exe{F81F30E6-F401-62DF-2205-000000006F02}10012C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000279565Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.973{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F401-62DF-2205-000000006F02}10012C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279564Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.960{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279563Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.960{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279562Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.960{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279561Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.960{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279560Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.960{F81F30E6-D9BA-62DF-8100-000000006F02}38882172C:\Windows\system32\csrss.exe{F81F30E6-F401-62DF-2105-000000006F02}10004C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000279559Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.960{F81F30E6-F163-62DF-1F04-000000006F02}22649960C:\Temp\dcrat.exe{F81F30E6-F401-62DF-2105-000000006F02}10004C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\System32\windows.storage.dll+16e7eb|C:\Windows\System32\windows.storage.dll+16e501|C:\Windows\System32\windows.storage.dll+16e14e|C:\Windows\System32\windows.storage.dll+16f3f0|C:\Windows\System32\windows.storage.dll+16de9e|C:\Windows\System32\windows.storage.dll+fce6d|C:\Windows\System32\windows.storage.dll+fd5ac|C:\Windows\System32\windows.storage.dll+fc910|C:\Windows\System32\shell32.dll+49cdf|C:\Windows\System32\shell32.dll+49b6c|C:\Windows\System32\shell32.dll+498bc|C:\Windows\System32\shell32.dll+10d2c7|C:\Windows\System32\shell32.dll+10d225|UNKNOWN(00007FF984B29B5F) 154100x8000000000000000279558Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.966{F81F30E6-F401-62DF-2105-000000006F02}10004C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" "C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe"C:\Temp\dcrat.exe" 10341000x8000000000000000279557Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.960{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F401-62DF-2005-000000006F02}9976C:\Windows\system32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279556Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.960{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F401-62DF-2005-000000006F02}9976C:\Windows\system32\notepad.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279555Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.960{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F401-62DF-2105-000000006F02}10004C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279554Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.942{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F401-62DF-1705-000000006F02}9720C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279553Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.926{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-1A05-000000006F02}9808C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279552Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.926{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-1A05-000000006F02}9808C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279551Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.926{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-1A05-000000006F02}9808C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279550Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.926{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-1A05-000000006F02}9808C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279549Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.923{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F401-62DF-1F05-000000006F02}9940C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279548Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.923{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F401-62DF-1F05-000000006F02}9940C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279547Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.922{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279546Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.922{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279545Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.922{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279544Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.922{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279543Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.922{F81F30E6-D9BA-62DF-8100-000000006F02}38882172C:\Windows\system32\csrss.exe{F81F30E6-F401-62DF-2005-000000006F02}9976C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000279542Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.921{F81F30E6-F401-62DF-1105-000000006F02}95889592C:\Windows\system32\cmd.exe{F81F30E6-F401-62DF-2005-000000006F02}9976C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8564|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000279541Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.921{F81F30E6-F401-62DF-2005-000000006F02}9976C:\Windows\System32\notepad.exe10.0.14393.4169 (rs1_release.210107-1130)NotepadMicrosoft® Windows® Operating SystemMicrosoft CorporationNOTEPAD.EXEnotepad.exe C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=BA78FCF8CA9D806C6C047357E31748DE,SHA256=34A07759492E31AEC2A009505FE8DFB50242375C4308AD4657B2872F4F75A077,IMPHASH=968239BE2020F1C0DAFFDCDBD49E9C82{F81F30E6-F401-62DF-1105-000000006F02}9588C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" " 10341000x8000000000000000279540Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.921{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F401-62DF-2005-000000006F02}9976C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279539Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.904{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F401-62DF-1705-000000006F02}9720C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279538Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.904{F81F30E6-F401-62DF-1F05-000000006F02}99409968C:\Windows\system32\conhost.exe{F81F30E6-F401-62DF-1E05-000000006F02}9920C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279537Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.904{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-1605-000000006F02}9704C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279536Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.889{F81F30E6-D9BA-62DF-8100-000000006F02}38884516C:\Windows\system32\csrss.exe{F81F30E6-F401-62DF-1F05-000000006F02}9940C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000279535Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.889{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F401-62DF-1F05-000000006F02}9940C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279534Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.889{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F401-62DF-1505-000000006F02}9676C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279533Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.889{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279532Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.889{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279531Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.889{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279530Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.889{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279529Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.889{F81F30E6-D9BA-62DF-8100-000000006F02}38882172C:\Windows\system32\csrss.exe{F81F30E6-F401-62DF-1E05-000000006F02}9920C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000279528Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.889{F81F30E6-F163-62DF-1F04-000000006F02}22649900C:\Temp\dcrat.exe{F81F30E6-F401-62DF-1E05-000000006F02}9920C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\System32\windows.storage.dll+16e7eb|C:\Windows\System32\windows.storage.dll+16e501|C:\Windows\System32\windows.storage.dll+16e14e|C:\Windows\System32\windows.storage.dll+16f3f0|C:\Windows\System32\windows.storage.dll+16de9e|C:\Windows\System32\windows.storage.dll+fce6d|C:\Windows\System32\windows.storage.dll+fd5ac|C:\Windows\System32\windows.storage.dll+fc910|C:\Windows\System32\shell32.dll+49cdf|C:\Windows\System32\shell32.dll+49b6c|C:\Windows\System32\shell32.dll+498bc|C:\Windows\System32\shell32.dll+10d2c7|C:\Windows\System32\shell32.dll+10d225|UNKNOWN(00007FF984B29B5F) 154100x8000000000000000279527Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.892{F81F30E6-F401-62DF-1E05-000000006F02}9920C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" "C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe"C:\Temp\dcrat.exe" 10341000x8000000000000000279526Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.889{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F401-62DF-1E05-000000006F02}9920C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279525Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.889{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-F401-62DF-1805-000000006F02}9756C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279524Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.889{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-1605-000000006F02}9704C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279523Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.889{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-1605-000000006F02}9704C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279522Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.889{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-1605-000000006F02}9704C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279521Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.873{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-1605-000000006F02}9704C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000279520Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.873{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6BB3999A1474FE1504C0CF02162538D9,SHA256=D1DC7A66417B77CB6F5BE5A6C658D685A13577C000F099967D54A10063135638,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000279519Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.857{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F401-62DF-1C05-000000006F02}9860C:\Windows\system32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279518Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.857{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F401-62DF-1C05-000000006F02}9860C:\Windows\system32\notepad.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279517Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.857{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F401-62DF-1D05-000000006F02}9868C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279516Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.857{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F401-62DF-1D05-000000006F02}9868C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279515Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.857{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F401-62DF-1505-000000006F02}9676C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000279514Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.843{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51F5AF6E1FADA75B24055EA6E9B2A0E4,SHA256=6CEC3DC5F7A12E6381E952D52EA9DA5C5F8F80A3722E5DCB0F981ADE827CF1F6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000279513Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.843{F81F30E6-F401-62DF-1D05-000000006F02}98689904C:\Windows\system32\conhost.exe{F81F30E6-F401-62DF-1B05-000000006F02}9848C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279512Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.843{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-1705-000000006F02}9720C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279511Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.843{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-1705-000000006F02}9720C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279510Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.843{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-1705-000000006F02}9720C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279509Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.843{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-1705-000000006F02}9720C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279508Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.826{F81F30E6-D9BA-62DF-8100-000000006F02}38882172C:\Windows\system32\csrss.exe{F81F30E6-F401-62DF-1D05-000000006F02}9868C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000279507Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.826{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F401-62DF-1D05-000000006F02}9868C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279506Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.822{F81F30E6-D9BA-62DF-8100-000000006F02}38884056C:\Windows\system32\csrss.exe{F81F30E6-F401-62DF-1C05-000000006F02}9860C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000279505Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.822{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279504Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.822{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279503Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.822{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279502Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.821{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279501Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.821{F81F30E6-F401-62DF-0F05-000000006F02}95489552C:\Windows\system32\cmd.exe{F81F30E6-F401-62DF-1C05-000000006F02}9860C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8564|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279500Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.821{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F401-62DF-1C05-000000006F02}9860C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000279499Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.821{F81F30E6-F401-62DF-1C05-000000006F02}9860C:\Windows\System32\notepad.exe10.0.14393.4169 (rs1_release.210107-1130)NotepadMicrosoft® Windows® Operating SystemMicrosoft CorporationNOTEPAD.EXEnotepad.exe C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=BA78FCF8CA9D806C6C047357E31748DE,SHA256=34A07759492E31AEC2A009505FE8DFB50242375C4308AD4657B2872F4F75A077,IMPHASH=968239BE2020F1C0DAFFDCDBD49E9C82{F81F30E6-F401-62DF-0F05-000000006F02}9548C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" " 10341000x8000000000000000279498Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.804{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279497Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.804{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279496Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.804{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279495Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.804{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279494Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.804{F81F30E6-D9BA-62DF-8100-000000006F02}38882172C:\Windows\system32\csrss.exe{F81F30E6-F401-62DF-1B05-000000006F02}9848C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000279493Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.804{F81F30E6-F163-62DF-1F04-000000006F02}22649828C:\Temp\dcrat.exe{F81F30E6-F401-62DF-1B05-000000006F02}9848C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\System32\windows.storage.dll+16e7eb|C:\Windows\System32\windows.storage.dll+16e501|C:\Windows\System32\windows.storage.dll+16e14e|C:\Windows\System32\windows.storage.dll+16f3f0|C:\Windows\System32\windows.storage.dll+16de9e|C:\Windows\System32\windows.storage.dll+fce6d|C:\Windows\System32\windows.storage.dll+fd5ac|C:\Windows\System32\windows.storage.dll+fc910|C:\Windows\System32\shell32.dll+49cdf|C:\Windows\System32\shell32.dll+49b6c|C:\Windows\System32\shell32.dll+498bc|C:\Windows\System32\shell32.dll+10d2c7|C:\Windows\System32\shell32.dll+10d225|UNKNOWN(00007FF984B29B5F) 154100x8000000000000000279492Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.815{F81F30E6-F401-62DF-1B05-000000006F02}9848C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" "C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe"C:\Temp\dcrat.exe" 10341000x8000000000000000279491Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.804{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F401-62DF-1B05-000000006F02}9848C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279490Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.804{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-1405-000000006F02}9668C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279489Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.789{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-1405-000000006F02}9668C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279488Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.789{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-1405-000000006F02}9668C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279487Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.789{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-1405-000000006F02}9668C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279486Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.789{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-1405-000000006F02}9668C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279485Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.789{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F401-62DF-1A05-000000006F02}9808C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279484Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.789{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F401-62DF-1A05-000000006F02}9808C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279483Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.789{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-1505-000000006F02}9676C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279482Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.789{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-1505-000000006F02}9676C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279481Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.789{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-1505-000000006F02}9676C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279480Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.789{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-1505-000000006F02}9676C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279479Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.773{F81F30E6-F401-62DF-1A05-000000006F02}98089832C:\Windows\system32\conhost.exe{F81F30E6-F401-62DF-1905-000000006F02}9792C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279478Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.757{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F401-62DF-1205-000000006F02}9600C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279477Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.757{F81F30E6-D9BA-62DF-8100-000000006F02}38882172C:\Windows\system32\csrss.exe{F81F30E6-F401-62DF-1A05-000000006F02}9808C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000279476Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.757{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F401-62DF-1A05-000000006F02}9808C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279475Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.757{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279474Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.757{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279473Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.757{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279472Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.757{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279471Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.757{F81F30E6-D9BA-62DF-8100-000000006F02}38882172C:\Windows\system32\csrss.exe{F81F30E6-F401-62DF-1905-000000006F02}9792C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000279470Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.757{F81F30E6-F163-62DF-1F04-000000006F02}22649744C:\Temp\dcrat.exe{F81F30E6-F401-62DF-1905-000000006F02}9792C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\System32\windows.storage.dll+16e7eb|C:\Windows\System32\windows.storage.dll+16e501|C:\Windows\System32\windows.storage.dll+16e14e|C:\Windows\System32\windows.storage.dll+16f3f0|C:\Windows\System32\windows.storage.dll+16de9e|C:\Windows\System32\windows.storage.dll+fce6d|C:\Windows\System32\windows.storage.dll+fd5ac|C:\Windows\System32\windows.storage.dll+fc910|C:\Windows\System32\shell32.dll+49cdf|C:\Windows\System32\shell32.dll+49b6c|C:\Windows\System32\shell32.dll+498bc|C:\Windows\System32\shell32.dll+10d2c7|C:\Windows\System32\shell32.dll+10d225|UNKNOWN(00007FF984B29B5F) 154100x8000000000000000279469Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.758{F81F30E6-F401-62DF-1905-000000006F02}9792C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" "C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe"C:\Temp\dcrat.exe" 10341000x8000000000000000279468Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.757{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F401-62DF-1905-000000006F02}9792C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279467Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.742{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-F401-62DF-1305-000000006F02}9636C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279466Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.742{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F401-62DF-1205-000000006F02}9600C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279465Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.742{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F401-62DF-1805-000000006F02}9756C:\Windows\system32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279464Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.742{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F401-62DF-1805-000000006F02}9756C:\Windows\system32\notepad.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279463Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.742{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-1105-000000006F02}9588C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279462Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.726{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F401-62DF-1705-000000006F02}9720C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279461Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.726{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F401-62DF-1705-000000006F02}9720C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279460Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.705{F81F30E6-D9BA-62DF-8100-000000006F02}38882172C:\Windows\system32\csrss.exe{F81F30E6-F401-62DF-1805-000000006F02}9756C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000279459Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.705{F81F30E6-F401-62DF-1705-000000006F02}97209764C:\Windows\system32\conhost.exe{F81F30E6-F401-62DF-1605-000000006F02}9704C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279458Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.705{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279457Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.705{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279456Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.705{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279455Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.705{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279454Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.705{F81F30E6-F401-62DF-0D05-000000006F02}95049508C:\Windows\system32\cmd.exe{F81F30E6-F401-62DF-1805-000000006F02}9756C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8564|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000279453Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.715{F81F30E6-F401-62DF-1805-000000006F02}9756C:\Windows\System32\notepad.exe10.0.14393.4169 (rs1_release.210107-1130)NotepadMicrosoft® Windows® Operating SystemMicrosoft CorporationNOTEPAD.EXEnotepad.exe C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=BA78FCF8CA9D806C6C047357E31748DE,SHA256=34A07759492E31AEC2A009505FE8DFB50242375C4308AD4657B2872F4F75A077,IMPHASH=968239BE2020F1C0DAFFDCDBD49E9C82{F81F30E6-F401-62DF-0D05-000000006F02}9504C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" " 10341000x8000000000000000279452Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.705{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F401-62DF-1805-000000006F02}9756C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279451Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.705{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-1105-000000006F02}9588C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279450Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.705{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-1105-000000006F02}9588C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279449Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.689{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-1105-000000006F02}9588C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279448Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.689{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-1105-000000006F02}9588C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279447Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.689{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-1205-000000006F02}9600C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279446Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.689{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-1205-000000006F02}9600C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279445Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.689{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-1205-000000006F02}9600C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279444Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.689{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-1205-000000006F02}9600C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279443Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.689{F81F30E6-D9BA-62DF-8100-000000006F02}38882172C:\Windows\system32\csrss.exe{F81F30E6-F401-62DF-1705-000000006F02}9720C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000279442Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.689{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F401-62DF-1705-000000006F02}9720C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279441Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.689{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F401-62DF-1005-000000006F02}9556C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279440Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.673{F81F30E6-D9BA-62DF-8100-000000006F02}38882172C:\Windows\system32\csrss.exe{F81F30E6-F401-62DF-1605-000000006F02}9704C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000279439Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.673{F81F30E6-F163-62DF-1F04-000000006F02}22649684C:\Temp\dcrat.exe{F81F30E6-F401-62DF-1605-000000006F02}9704C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\System32\windows.storage.dll+16e7eb|C:\Windows\System32\windows.storage.dll+16e501|C:\Windows\System32\windows.storage.dll+16e14e|C:\Windows\System32\windows.storage.dll+16f3f0|C:\Windows\System32\windows.storage.dll+16de9e|C:\Windows\System32\windows.storage.dll+fce6d|C:\Windows\System32\windows.storage.dll+fd5ac|C:\Windows\System32\windows.storage.dll+fc910|C:\Windows\System32\shell32.dll+49cdf|C:\Windows\System32\shell32.dll+49b6c|C:\Windows\System32\shell32.dll+498bc|C:\Windows\System32\shell32.dll+10d2c7|C:\Windows\System32\shell32.dll+10d225|UNKNOWN(00007FF984B29B5F) 10341000x8000000000000000279438Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.673{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279437Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.673{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279436Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.673{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279435Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.673{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000279434Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.684{F81F30E6-F401-62DF-1605-000000006F02}9704C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" "C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe"C:\Temp\dcrat.exe" 10341000x8000000000000000279433Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.673{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F401-62DF-1605-000000006F02}9704C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279432Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.673{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F401-62DF-1505-000000006F02}9676C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279431Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.673{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F401-62DF-1505-000000006F02}9676C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279430Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.673{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F401-62DF-1005-000000006F02}9556C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279429Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.658{F81F30E6-F401-62DF-1505-000000006F02}96769700C:\Windows\system32\conhost.exe{F81F30E6-F401-62DF-1405-000000006F02}9668C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279428Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.658{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-0F05-000000006F02}9548C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279427Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.642{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-0F05-000000006F02}9548C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279426Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.642{F81F30E6-D9BA-62DF-8100-000000006F02}38884516C:\Windows\system32\csrss.exe{F81F30E6-F401-62DF-1505-000000006F02}9676C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000279425Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.642{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-0F05-000000006F02}9548C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279424Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.642{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-0F05-000000006F02}9548C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279423Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.642{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-0F05-000000006F02}9548C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279422Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.642{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-0D05-000000006F02}9504C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279421Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.642{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F401-62DF-1505-000000006F02}9676C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279420Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.642{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-0D05-000000006F02}9504C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279419Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.642{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-0D05-000000006F02}9504C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279418Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.642{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F401-62DF-1305-000000006F02}9636C:\Windows\system32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279417Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.642{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279416Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.642{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F401-62DF-1305-000000006F02}9636C:\Windows\system32\notepad.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279415Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.642{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279414Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.642{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279413Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.642{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279412Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.642{F81F30E6-D9BA-62DF-8100-000000006F02}38882172C:\Windows\system32\csrss.exe{F81F30E6-F401-62DF-1405-000000006F02}9668C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000279411Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.642{F81F30E6-F163-62DF-1F04-000000006F02}22649624C:\Temp\dcrat.exe{F81F30E6-F401-62DF-1405-000000006F02}9668C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\System32\windows.storage.dll+16e7eb|C:\Windows\System32\windows.storage.dll+16e501|C:\Windows\System32\windows.storage.dll+16e14e|C:\Windows\System32\windows.storage.dll+16f3f0|C:\Windows\System32\windows.storage.dll+16de9e|C:\Windows\System32\windows.storage.dll+fce6d|C:\Windows\System32\windows.storage.dll+fd5ac|C:\Windows\System32\windows.storage.dll+fc910|C:\Windows\System32\shell32.dll+49cdf|C:\Windows\System32\shell32.dll+49b6c|C:\Windows\System32\shell32.dll+498bc|C:\Windows\System32\shell32.dll+10d2c7|C:\Windows\System32\shell32.dll+10d225|UNKNOWN(00007FF984B29B5F) 154100x8000000000000000279410Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.644{F81F30E6-F401-62DF-1405-000000006F02}9668C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" "C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe"C:\Temp\dcrat.exe" 10341000x8000000000000000279409Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.642{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-1005-000000006F02}9556C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279408Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.642{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F401-62DF-1405-000000006F02}9668C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279407Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.642{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-1005-000000006F02}9556C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279406Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.642{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-1005-000000006F02}9556C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279405Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.642{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-1005-000000006F02}9556C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279404Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.626{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F401-62DF-0E05-000000006F02}9512C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279403Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.626{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F401-62DF-1205-000000006F02}9600C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279402Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.626{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F401-62DF-1205-000000006F02}9600C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279401Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.625{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F401-62DF-0E05-000000006F02}9512C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279400Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.604{F81F30E6-F401-62DF-1205-000000006F02}96009644C:\Windows\system32\conhost.exe{F81F30E6-F401-62DF-1105-000000006F02}9588C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279399Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.604{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279398Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.604{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279397Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.604{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279396Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.604{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279395Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.604{F81F30E6-D9BA-62DF-8100-000000006F02}38884056C:\Windows\system32\csrss.exe{F81F30E6-F401-62DF-1305-000000006F02}9636C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000279394Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.604{F81F30E6-F401-62DF-0B05-000000006F02}94609464C:\Windows\system32\cmd.exe{F81F30E6-F401-62DF-1305-000000006F02}9636C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8564|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000279393Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.616{F81F30E6-F401-62DF-1305-000000006F02}9636C:\Windows\System32\notepad.exe10.0.14393.4169 (rs1_release.210107-1130)NotepadMicrosoft® Windows® Operating SystemMicrosoft CorporationNOTEPAD.EXEnotepad.exe C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=BA78FCF8CA9D806C6C047357E31748DE,SHA256=34A07759492E31AEC2A009505FE8DFB50242375C4308AD4657B2872F4F75A077,IMPHASH=968239BE2020F1C0DAFFDCDBD49E9C82{F81F30E6-F401-62DF-0B05-000000006F02}9460C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" " 10341000x8000000000000000279392Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.604{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F401-62DF-1305-000000006F02}9636C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279391Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.589{F81F30E6-D9BA-62DF-8100-000000006F02}38884056C:\Windows\system32\csrss.exe{F81F30E6-F401-62DF-1205-000000006F02}9600C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000279390Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.589{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F401-62DF-1205-000000006F02}9600C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279389Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.589{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279388Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.589{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279387Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.589{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279386Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.589{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279385Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.589{F81F30E6-D9BA-62DF-8100-000000006F02}38882172C:\Windows\system32\csrss.exe{F81F30E6-F401-62DF-1105-000000006F02}9588C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000279384Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.589{F81F30E6-F163-62DF-1F04-000000006F02}22649568C:\Temp\dcrat.exe{F81F30E6-F401-62DF-1105-000000006F02}9588C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\System32\windows.storage.dll+16e7eb|C:\Windows\System32\windows.storage.dll+16e501|C:\Windows\System32\windows.storage.dll+16e14e|C:\Windows\System32\windows.storage.dll+16f3f0|C:\Windows\System32\windows.storage.dll+16de9e|C:\Windows\System32\windows.storage.dll+fce6d|C:\Windows\System32\windows.storage.dll+fd5ac|C:\Windows\System32\windows.storage.dll+fc910|C:\Windows\System32\shell32.dll+49cdf|C:\Windows\System32\shell32.dll+49b6c|C:\Windows\System32\shell32.dll+498bc|C:\Windows\System32\shell32.dll+10d2c7|C:\Windows\System32\shell32.dll+10d225|UNKNOWN(00007FF984B29B5F) 154100x8000000000000000279383Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.594{F81F30E6-F401-62DF-1105-000000006F02}9588C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" "C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe"C:\Temp\dcrat.exe" 10341000x8000000000000000279382Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.589{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F401-62DF-1105-000000006F02}9588C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279381Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.589{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-0D05-000000006F02}9504C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279380Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.589{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-0D05-000000006F02}9504C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279379Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.589{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-0D05-000000006F02}9504C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279378Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.589{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-0D05-000000006F02}9504C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279377Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.573{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-0D05-000000006F02}9504C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279376Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.573{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F401-62DF-1005-000000006F02}9556C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279375Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.573{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F401-62DF-1005-000000006F02}9556C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279374Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.573{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-0E05-000000006F02}9512C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279373Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.573{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-0E05-000000006F02}9512C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279372Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.573{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-0E05-000000006F02}9512C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279371Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.573{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-0E05-000000006F02}9512C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279370Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.573{F81F30E6-F401-62DF-1005-000000006F02}95569580C:\Windows\system32\conhost.exe{F81F30E6-F401-62DF-0F05-000000006F02}9548C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279369Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.557{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-0B05-000000006F02}9460C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279368Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.557{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-0B05-000000006F02}9460C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279367Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.557{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-0B05-000000006F02}9460C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279366Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.557{F81F30E6-D9BA-62DF-8100-000000006F02}38884056C:\Windows\system32\csrss.exe{F81F30E6-F401-62DF-1005-000000006F02}9556C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000279365Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.557{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F401-62DF-1005-000000006F02}9556C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279364Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.542{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279363Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.542{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279362Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.542{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279361Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.542{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279360Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.542{F81F30E6-D9BA-62DF-8100-000000006F02}38882172C:\Windows\system32\csrss.exe{F81F30E6-F401-62DF-0F05-000000006F02}9548C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000279359Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.542{F81F30E6-F163-62DF-1F04-000000006F02}22649520C:\Temp\dcrat.exe{F81F30E6-F401-62DF-0F05-000000006F02}9548C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\System32\windows.storage.dll+16e7eb|C:\Windows\System32\windows.storage.dll+16e501|C:\Windows\System32\windows.storage.dll+16e14e|C:\Windows\System32\windows.storage.dll+16f3f0|C:\Windows\System32\windows.storage.dll+16de9e|C:\Windows\System32\windows.storage.dll+fce6d|C:\Windows\System32\windows.storage.dll+fd5ac|C:\Windows\System32\windows.storage.dll+fc910|C:\Windows\System32\shell32.dll+49cdf|C:\Windows\System32\shell32.dll+49b6c|C:\Windows\System32\shell32.dll+498bc|C:\Windows\System32\shell32.dll+10d2c7|C:\Windows\System32\shell32.dll+10d225|UNKNOWN(00007FF984B29B5F) 154100x8000000000000000279358Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.555{F81F30E6-F401-62DF-0F05-000000006F02}9548C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" "C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe"C:\Temp\dcrat.exe" 10341000x8000000000000000279357Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.542{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F401-62DF-0F05-000000006F02}9548C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279356Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.542{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F401-62DF-0C05-000000006F02}9468C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279355Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.542{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F401-62DF-0C05-000000006F02}9468C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279354Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.542{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F401-62DF-0E05-000000006F02}9512C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279353Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.542{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F401-62DF-0E05-000000006F02}9512C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279352Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.526{F81F30E6-F401-62DF-0E05-000000006F02}95129536C:\Windows\system32\conhost.exe{F81F30E6-F401-62DF-0D05-000000006F02}9504C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279351Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.526{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-0B05-000000006F02}9460C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279350Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.525{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-0B05-000000006F02}9460C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279349Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.525{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-0B05-000000006F02}9460C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279348Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.524{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-0B05-000000006F02}9460C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279347Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.523{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-0B05-000000006F02}9460C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279346Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.521{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-0C05-000000006F02}9468C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279345Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.520{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-0C05-000000006F02}9468C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279344Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.520{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-0C05-000000006F02}9468C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279343Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.520{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-0C05-000000006F02}9468C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279342Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.503{F81F30E6-D9BA-62DF-8100-000000006F02}38882172C:\Windows\system32\csrss.exe{F81F30E6-F401-62DF-0E05-000000006F02}9512C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000279341Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.503{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F401-62DF-0E05-000000006F02}9512C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279340Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.503{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279339Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.503{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279338Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.503{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279337Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.503{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279336Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.503{F81F30E6-D9BA-62DF-8100-000000006F02}38882172C:\Windows\system32\csrss.exe{F81F30E6-F401-62DF-0D05-000000006F02}9504C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000279335Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.503{F81F30E6-F163-62DF-1F04-000000006F02}22649476C:\Temp\dcrat.exe{F81F30E6-F401-62DF-0D05-000000006F02}9504C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\System32\windows.storage.dll+16e7eb|C:\Windows\System32\windows.storage.dll+16e501|C:\Windows\System32\windows.storage.dll+16e14e|C:\Windows\System32\windows.storage.dll+16f3f0|C:\Windows\System32\windows.storage.dll+16de9e|C:\Windows\System32\windows.storage.dll+fce6d|C:\Windows\System32\windows.storage.dll+fd5ac|C:\Windows\System32\windows.storage.dll+fc910|C:\Windows\System32\shell32.dll+49cdf|C:\Windows\System32\shell32.dll+49b6c|C:\Windows\System32\shell32.dll+498bc|C:\Windows\System32\shell32.dll+10d2c7|C:\Windows\System32\shell32.dll+10d225|UNKNOWN(00007FF984B29B5F) 154100x8000000000000000279334Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.510{F81F30E6-F401-62DF-0D05-000000006F02}9504C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" "C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe"C:\Temp\dcrat.exe" 10341000x8000000000000000279333Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.503{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F401-62DF-0D05-000000006F02}9504C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279332Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.503{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F401-62DF-0C05-000000006F02}9468C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279331Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.503{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F401-62DF-0C05-000000006F02}9468C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279330Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.487{F81F30E6-F401-62DF-0C05-000000006F02}94689492C:\Windows\system32\conhost.exe{F81F30E6-F401-62DF-0B05-000000006F02}9460C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279329Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.487{F81F30E6-D9BA-62DF-8100-000000006F02}38884056C:\Windows\system32\csrss.exe{F81F30E6-F401-62DF-0C05-000000006F02}9468C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000279328Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.487{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F401-62DF-0C05-000000006F02}9468C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279327Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.487{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279326Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.487{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279325Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.487{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279324Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.472{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279323Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.472{F81F30E6-D9BA-62DF-8100-000000006F02}38884056C:\Windows\system32\csrss.exe{F81F30E6-F401-62DF-0B05-000000006F02}9460C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000279322Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.472{F81F30E6-F163-62DF-1F04-000000006F02}22649456C:\Temp\dcrat.exe{F81F30E6-F401-62DF-0B05-000000006F02}9460C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\System32\windows.storage.dll+16e7eb|C:\Windows\System32\windows.storage.dll+16e501|C:\Windows\System32\windows.storage.dll+16e14e|C:\Windows\System32\windows.storage.dll+16f3f0|C:\Windows\System32\windows.storage.dll+16de9e|C:\Windows\System32\windows.storage.dll+fce6d|C:\Windows\System32\windows.storage.dll+fd5ac|C:\Windows\System32\windows.storage.dll+fc910|C:\Windows\System32\shell32.dll+49cdf|C:\Windows\System32\shell32.dll+49b6c|C:\Windows\System32\shell32.dll+498bc|C:\Windows\System32\shell32.dll+10d2c7|C:\Windows\System32\shell32.dll+10d225|UNKNOWN(00007FF984B29B5F) 154100x8000000000000000279321Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.486{F81F30E6-F401-62DF-0B05-000000006F02}9460C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" "C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe"C:\Temp\dcrat.exe" 10341000x8000000000000000279320Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.472{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F401-62DF-0B05-000000006F02}9460C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279987Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.972{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F402-62DF-3505-000000006F02}8656C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279986Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.957{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-F402-62DF-3905-000000006F02}10320C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279985Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.941{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F402-62DF-3405-000000006F02}7392C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279984Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.941{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-2805-000000006F02}10172C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279983Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.941{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-3505-000000006F02}8656C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279982Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.941{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-2805-000000006F02}10172C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279981Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.941{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-2805-000000006F02}10172C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279980Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.941{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-3505-000000006F02}8656C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279979Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.941{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-3505-000000006F02}8656C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279978Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.941{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-3505-000000006F02}8656C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279977Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.941{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-2805-000000006F02}10172C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279976Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.925{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-3205-000000006F02}7264C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279975Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.925{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-3205-000000006F02}7264C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279974Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.925{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-3205-000000006F02}7264C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279973Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.925{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279972Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.925{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-3205-000000006F02}7264C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279971Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.925{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F402-62DF-3405-000000006F02}7392C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279970Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.925{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-F402-62DF-3805-000000006F02}10280C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279969Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.921{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279968Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.921{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279967Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.921{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279966Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.904{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F402-62DF-3105-000000006F02}5180C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279965Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.888{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F402-62DF-3A05-000000006F02}10356C:\Windows\system32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279964Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.888{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F402-62DF-3A05-000000006F02}10356C:\Windows\system32\notepad.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279963Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.888{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-2505-000000006F02}10096C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279962Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.888{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-2505-000000006F02}10096C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279961Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.888{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-2505-000000006F02}10096C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279960Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.888{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-2505-000000006F02}10096C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279959Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.888{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-3405-000000006F02}7392C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279958Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.888{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-3405-000000006F02}7392C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279957Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.888{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-3405-000000006F02}7392C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279956Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.888{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-3405-000000006F02}7392C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279955Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.872{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-2F05-000000006F02}8172C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279954Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.872{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-2F05-000000006F02}8172C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279953Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.872{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-2F05-000000006F02}8172C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279952Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.872{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-2F05-000000006F02}8172C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279951Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.872{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F402-62DF-3105-000000006F02}5180C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279950Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.872{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F402-62DF-2E05-000000006F02}8156C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279949Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.857{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-F402-62DF-3705-000000006F02}5056C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279948Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.857{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279947Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.857{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279946Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.857{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279945Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.857{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279944Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.857{F81F30E6-D9BA-62DF-8100-000000006F02}38882172C:\Windows\system32\csrss.exe{F81F30E6-F402-62DF-3A05-000000006F02}10356C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000279943Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.857{F81F30E6-F402-62DF-3205-000000006F02}72647308C:\Windows\system32\cmd.exe{F81F30E6-F402-62DF-3A05-000000006F02}10356C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8564|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000279942Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.863{F81F30E6-F402-62DF-3A05-000000006F02}10356C:\Windows\System32\notepad.exe10.0.14393.4169 (rs1_release.210107-1130)NotepadMicrosoft® Windows® Operating SystemMicrosoft CorporationNOTEPAD.EXEnotepad.exe C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=BA78FCF8CA9D806C6C047357E31748DE,SHA256=34A07759492E31AEC2A009505FE8DFB50242375C4308AD4657B2872F4F75A077,IMPHASH=968239BE2020F1C0DAFFDCDBD49E9C82{F81F30E6-F402-62DF-3205-000000006F02}7264C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" " 10341000x8000000000000000279941Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.857{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F402-62DF-3A05-000000006F02}10356C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279940Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.841{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F402-62DF-2E05-000000006F02}8156C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279939Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.841{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F402-62DF-3905-000000006F02}10320C:\Windows\system32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279938Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.841{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F402-62DF-3905-000000006F02}10320C:\Windows\system32\notepad.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000279937Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.841{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6541909B6ACD29525795A679297FC354,SHA256=43FACE1E9AE23466F8FCD2BA7E15A8FB11372BD62C74CE8C270F2091F7EF1DC2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000279936Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.825{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-3105-000000006F02}5180C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279935Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.825{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-3105-000000006F02}5180C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279934Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.825{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-3105-000000006F02}5180C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279933Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.825{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-3105-000000006F02}5180C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279932Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.804{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279931Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.804{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279930Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.804{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279929Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.804{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279928Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.804{F81F30E6-D9BA-62DF-8100-000000006F02}38884056C:\Windows\system32\csrss.exe{F81F30E6-F402-62DF-3905-000000006F02}10320C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000279927Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.804{F81F30E6-F402-62DF-2F05-000000006F02}81726276C:\Windows\system32\cmd.exe{F81F30E6-F402-62DF-3905-000000006F02}10320C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8564|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000279926Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.811{F81F30E6-F402-62DF-3905-000000006F02}10320C:\Windows\System32\notepad.exe10.0.14393.4169 (rs1_release.210107-1130)NotepadMicrosoft® Windows® Operating SystemMicrosoft CorporationNOTEPAD.EXEnotepad.exe C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=BA78FCF8CA9D806C6C047357E31748DE,SHA256=34A07759492E31AEC2A009505FE8DFB50242375C4308AD4657B2872F4F75A077,IMPHASH=968239BE2020F1C0DAFFDCDBD49E9C82{F81F30E6-F402-62DF-2F05-000000006F02}8172C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" " 10341000x8000000000000000279925Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.804{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F402-62DF-3905-000000006F02}10320C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279924Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.804{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-F402-62DF-3605-000000006F02}9908C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279923Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.788{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F402-62DF-2B05-000000006F02}9304C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279922Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.788{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-2E05-000000006F02}8156C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279921Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.788{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-2E05-000000006F02}8156C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279920Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.788{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-2E05-000000006F02}8156C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279919Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.788{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-2E05-000000006F02}8156C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279918Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.788{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F402-62DF-3805-000000006F02}10280C:\Windows\system32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279917Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.788{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F402-62DF-3805-000000006F02}10280C:\Windows\system32\notepad.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279916Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.757{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F402-62DF-2B05-000000006F02}9304C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279915Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.757{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-2C05-000000006F02}7408C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279914Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.757{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-2C05-000000006F02}7408C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279913Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.757{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-2C05-000000006F02}7408C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279912Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.757{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279911Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.757{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279910Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.757{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279909Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.757{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279908Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.757{F81F30E6-D9BA-62DF-8100-000000006F02}38884056C:\Windows\system32\csrss.exe{F81F30E6-F402-62DF-3805-000000006F02}10280C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000279907Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.757{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-2C05-000000006F02}7408C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279906Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.757{F81F30E6-F402-62DF-2C05-000000006F02}74089348C:\Windows\system32\cmd.exe{F81F30E6-F402-62DF-3805-000000006F02}10280C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8564|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000279905Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.758{F81F30E6-F402-62DF-3805-000000006F02}10280C:\Windows\System32\notepad.exe10.0.14393.4169 (rs1_release.210107-1130)NotepadMicrosoft® Windows® Operating SystemMicrosoft CorporationNOTEPAD.EXEnotepad.exe C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=BA78FCF8CA9D806C6C047357E31748DE,SHA256=34A07759492E31AEC2A009505FE8DFB50242375C4308AD4657B2872F4F75A077,IMPHASH=968239BE2020F1C0DAFFDCDBD49E9C82{F81F30E6-F402-62DF-2C05-000000006F02}7408C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" " 10341000x8000000000000000279904Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.757{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F402-62DF-3805-000000006F02}10280C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279903Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.741{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F402-62DF-2805-000000006F02}10172C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000279902Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.741{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA1F3676CF8B3CB636DCAF66C15D7427,SHA256=CDD11130A4939590BC022AE4C424B9253FF4FCB65F0AE0CB700E73692C58084B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000279901Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.726{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F402-62DF-3705-000000006F02}5056C:\Windows\system32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279900Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.726{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F402-62DF-3705-000000006F02}5056C:\Windows\system32\notepad.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279899Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.726{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-F402-62DF-3505-000000006F02}8656C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279898Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.726{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F402-62DF-3305-000000006F02}6908C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279897Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.724{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-2B05-000000006F02}9304C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279896Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.723{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-2B05-000000006F02}9304C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279895Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.723{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-2B05-000000006F02}9304C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279894Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.723{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-2B05-000000006F02}9304C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279893Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.722{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F402-62DF-2805-000000006F02}10172C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279892Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.688{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279891Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.688{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279890Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.688{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279889Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.688{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279888Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.688{F81F30E6-D9BA-62DF-8100-000000006F02}38882172C:\Windows\system32\csrss.exe{F81F30E6-F402-62DF-3705-000000006F02}5056C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000279887Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.688{F81F30E6-F402-62DF-2905-000000006F02}1023210236C:\Windows\system32\cmd.exe{F81F30E6-F402-62DF-3705-000000006F02}5056C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8564|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000279886Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.701{F81F30E6-F402-62DF-3705-000000006F02}5056C:\Windows\System32\notepad.exe10.0.14393.4169 (rs1_release.210107-1130)NotepadMicrosoft® Windows® Operating SystemMicrosoft CorporationNOTEPAD.EXEnotepad.exe C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=BA78FCF8CA9D806C6C047357E31748DE,SHA256=34A07759492E31AEC2A009505FE8DFB50242375C4308AD4657B2872F4F75A077,IMPHASH=968239BE2020F1C0DAFFDCDBD49E9C82{F81F30E6-F402-62DF-2905-000000006F02}10232C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" " 10341000x8000000000000000279885Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.688{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F402-62DF-3705-000000006F02}5056C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279884Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.688{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F402-62DF-3305-000000006F02}6908C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279883Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.673{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-2005-000000006F02}9976C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279882Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.673{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-2005-000000006F02}9976C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279881Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.673{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-2005-000000006F02}9976C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279880Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.673{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-2005-000000006F02}9976C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279879Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.673{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F402-62DF-2505-000000006F02}10096C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279878Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.673{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F402-62DF-3005-000000006F02}6852C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279877Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.673{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-2905-000000006F02}10232C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279876Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.673{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-2905-000000006F02}10232C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279875Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.673{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-2905-000000006F02}10232C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279874Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.673{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-2905-000000006F02}10232C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279873Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.657{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F402-62DF-3605-000000006F02}9908C:\Windows\system32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279872Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.657{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F402-62DF-3605-000000006F02}9908C:\Windows\system32\notepad.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279871Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.657{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-2805-000000006F02}10172C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279870Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.657{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-2805-000000006F02}10172C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279869Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.657{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-2805-000000006F02}10172C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279868Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.657{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-2805-000000006F02}10172C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279867Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.657{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-F402-62DF-3405-000000006F02}7392C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279866Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.641{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F402-62DF-2505-000000006F02}10096C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279865Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.641{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F402-62DF-3005-000000006F02}6852C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279864Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.626{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279863Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.626{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279862Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.626{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279861Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.626{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279860Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.626{F81F30E6-D9BA-62DF-8100-000000006F02}38882172C:\Windows\system32\csrss.exe{F81F30E6-F402-62DF-3605-000000006F02}9908C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000279859Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.626{F81F30E6-F402-62DF-2605-000000006F02}1014410148C:\Windows\system32\cmd.exe{F81F30E6-F402-62DF-3605-000000006F02}9908C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8564|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000279858Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.635{F81F30E6-F402-62DF-3605-000000006F02}9908C:\Windows\System32\notepad.exe10.0.14393.4169 (rs1_release.210107-1130)NotepadMicrosoft® Windows® Operating SystemMicrosoft CorporationNOTEPAD.EXEnotepad.exe C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=BA78FCF8CA9D806C6C047357E31748DE,SHA256=34A07759492E31AEC2A009505FE8DFB50242375C4308AD4657B2872F4F75A077,IMPHASH=968239BE2020F1C0DAFFDCDBD49E9C82{F81F30E6-F402-62DF-2605-000000006F02}10144C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" " 10341000x8000000000000000279857Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.626{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F402-62DF-3605-000000006F02}9908C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279856Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.626{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-3305-000000006F02}6908C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279855Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.626{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-3305-000000006F02}6908C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279854Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.626{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-3305-000000006F02}6908C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279853Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.626{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-3305-000000006F02}6908C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279852Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.623{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F402-62DF-2D05-000000006F02}668C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279851Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.604{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279850Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.604{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279849Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.604{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279848Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.604{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279847Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.604{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-2505-000000006F02}10096C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279846Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.604{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-2505-000000006F02}10096C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279845Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.604{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-2505-000000006F02}10096C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279844Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.604{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-2505-000000006F02}10096C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279843Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.604{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-F402-62DF-3105-000000006F02}5180C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279842Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.588{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F402-62DF-3505-000000006F02}8656C:\Windows\system32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279841Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.588{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F402-62DF-3505-000000006F02}8656C:\Windows\system32\notepad.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279840Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.588{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F402-62DF-2D05-000000006F02}668C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000279839Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.588{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F80C2230EE5268D5607091E50D87B85C,SHA256=472B327627D0A46D36FA70922286A83840DEA90DB31960203AEF6D209A9CDE34,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000279838Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.588{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=09575DC38C2F4768891BE9F4A41C2DD4,SHA256=EDA49FE36F1F115FEA78F4AE1B3AFA6CDA417585A6DB340A672F862E1FC95E8C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000279837Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.573{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-3005-000000006F02}6852C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279836Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.573{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-3005-000000006F02}6852C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279835Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.573{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-3005-000000006F02}6852C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279834Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.573{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-3005-000000006F02}6852C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279833Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.573{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-2605-000000006F02}10144C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279832Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.573{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-2605-000000006F02}10144C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279831Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.573{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-2605-000000006F02}10144C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279830Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.573{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-2605-000000006F02}10144C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279829Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.557{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F401-62DF-2005-000000006F02}9976C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279828Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.557{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-F402-62DF-2E05-000000006F02}8156C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279827Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.557{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-1C05-000000006F02}9860C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279826Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.557{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279825Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.557{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-1C05-000000006F02}9860C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279824Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.557{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-1C05-000000006F02}9860C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279823Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.557{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279822Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.557{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279821Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.557{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279820Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.557{F81F30E6-D9BA-62DF-8100-000000006F02}38884056C:\Windows\system32\csrss.exe{F81F30E6-F402-62DF-3505-000000006F02}8656C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000279819Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.557{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-1C05-000000006F02}9860C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279818Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.557{F81F30E6-F402-62DF-2305-000000006F02}1005610060C:\Windows\system32\cmd.exe{F81F30E6-F402-62DF-3505-000000006F02}8656C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8564|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000279817Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.560{F81F30E6-F402-62DF-3505-000000006F02}8656C:\Windows\System32\notepad.exe10.0.14393.4169 (rs1_release.210107-1130)NotepadMicrosoft® Windows® Operating SystemMicrosoft CorporationNOTEPAD.EXEnotepad.exe C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=BA78FCF8CA9D806C6C047357E31748DE,SHA256=34A07759492E31AEC2A009505FE8DFB50242375C4308AD4657B2872F4F75A077,IMPHASH=968239BE2020F1C0DAFFDCDBD49E9C82{F81F30E6-F402-62DF-2305-000000006F02}10056C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" " 10341000x8000000000000000279816Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.557{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F402-62DF-3505-000000006F02}8656C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279815Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.541{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F402-62DF-2A05-000000006F02}8276C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279814Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.541{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279813Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.541{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279812Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.541{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279811Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.541{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279810Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.526{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F401-62DF-2005-000000006F02}9976C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279809Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.526{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-2D05-000000006F02}668C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279808Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.526{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-2D05-000000006F02}668C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279807Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.526{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-2D05-000000006F02}668C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279806Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.526{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-2D05-000000006F02}668C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279805Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.526{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F402-62DF-2A05-000000006F02}8276C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279804Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.526{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F402-62DF-3405-000000006F02}7392C:\Windows\system32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279803Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.526{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F402-62DF-3405-000000006F02}7392C:\Windows\system32\notepad.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279802Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.504{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-2305-000000006F02}10056C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279801Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.504{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-2305-000000006F02}10056C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279800Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.504{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-2305-000000006F02}10056C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279799Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.504{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-2305-000000006F02}10056C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000279798Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:40.231{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local64969-false10.0.1.12-8000- 10341000x8000000000000000279797Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.489{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279796Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.489{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279795Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.489{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279794Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.489{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279793Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.489{F81F30E6-D9BA-62DF-8100-000000006F02}38882172C:\Windows\system32\csrss.exe{F81F30E6-F402-62DF-3405-000000006F02}7392C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000279792Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.489{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F402-62DF-3305-000000006F02}6908C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279791Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.489{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F402-62DF-3305-000000006F02}6908C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279790Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.489{F81F30E6-F401-62DF-2105-000000006F02}1000410008C:\Windows\system32\cmd.exe{F81F30E6-F402-62DF-3405-000000006F02}7392C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8564|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000279789Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.494{F81F30E6-F402-62DF-3405-000000006F02}7392C:\Windows\System32\notepad.exe10.0.14393.4169 (rs1_release.210107-1130)NotepadMicrosoft® Windows® Operating SystemMicrosoft CorporationNOTEPAD.EXEnotepad.exe C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=BA78FCF8CA9D806C6C047357E31748DE,SHA256=34A07759492E31AEC2A009505FE8DFB50242375C4308AD4657B2872F4F75A077,IMPHASH=968239BE2020F1C0DAFFDCDBD49E9C82{F81F30E6-F401-62DF-2105-000000006F02}10004C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" " 10341000x8000000000000000279788Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.489{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F402-62DF-3405-000000006F02}7392C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279787Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.489{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F402-62DF-2705-000000006F02}10164C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279786Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.473{F81F30E6-F402-62DF-3305-000000006F02}69087384C:\Windows\system32\conhost.exe{F81F30E6-F402-62DF-3205-000000006F02}7264C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279785Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.473{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-F402-62DF-2B05-000000006F02}9304C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279784Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.473{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-2005-000000006F02}9976C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279783Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.473{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-2005-000000006F02}9976C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279782Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.473{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-2005-000000006F02}9976C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279781Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.473{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-2005-000000006F02}9976C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279780Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.473{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F401-62DF-1C05-000000006F02}9860C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279779Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.457{F81F30E6-D9BA-62DF-8100-000000006F02}38884056C:\Windows\system32\csrss.exe{F81F30E6-F402-62DF-3305-000000006F02}6908C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000279778Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.457{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F402-62DF-3305-000000006F02}6908C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279777Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.457{F81F30E6-DE12-62DF-7B01-000000006F02}62606312C:\Users\Administrator\Downloads\dnSpy.exe{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00007FF972E3853B) 10341000x8000000000000000279776Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.442{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279775Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.442{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279774Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.442{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279773Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.442{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279772Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.442{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-2A05-000000006F02}8276C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279771Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.442{F81F30E6-D9BA-62DF-8100-000000006F02}38884516C:\Windows\system32\csrss.exe{F81F30E6-F402-62DF-3205-000000006F02}7264C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000279770Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.442{F81F30E6-F163-62DF-1F04-000000006F02}22647580C:\Temp\dcrat.exe{F81F30E6-F402-62DF-3205-000000006F02}7264C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\System32\windows.storage.dll+16e7eb|C:\Windows\System32\windows.storage.dll+16e501|C:\Windows\System32\windows.storage.dll+16e14e|C:\Windows\System32\windows.storage.dll+16f3f0|C:\Windows\System32\windows.storage.dll+16de9e|C:\Windows\System32\windows.storage.dll+fce6d|C:\Windows\System32\windows.storage.dll+fd5ac|C:\Windows\System32\windows.storage.dll+fc910|C:\Windows\System32\shell32.dll+49cdf|C:\Windows\System32\shell32.dll+49b6c|C:\Windows\System32\shell32.dll+498bc|C:\Windows\System32\shell32.dll+10d2c7|C:\Windows\System32\shell32.dll+10d225|UNKNOWN(00007FF984B29B5F) 10341000x8000000000000000279769Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.442{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-2A05-000000006F02}8276C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000279768Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.454{F81F30E6-F402-62DF-3205-000000006F02}7264C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" "C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe"C:\Temp\dcrat.exe" 10341000x8000000000000000279767Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.442{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-2A05-000000006F02}8276C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279766Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.442{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-2A05-000000006F02}8276C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279765Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.442{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F402-62DF-3205-000000006F02}7264C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279764Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.442{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F402-62DF-2705-000000006F02}10164C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279763Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.442{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F402-62DF-3105-000000006F02}5180C:\Windows\system32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279762Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.442{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F402-62DF-3105-000000006F02}5180C:\Windows\system32\notepad.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000279761Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.442{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3232752DC701416E919F46B081132E0C,SHA256=BE46ED05AEC07D708F7792A098F875BF74A69C91C588AFEE2884D28448B5943C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000279760Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.426{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F401-62DF-1C05-000000006F02}9860C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279759Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.426{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F402-62DF-3005-000000006F02}6852C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279758Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.426{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F402-62DF-3005-000000006F02}6852C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279757Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.404{F81F30E6-F402-62DF-3005-000000006F02}6852216C:\Windows\system32\conhost.exe{F81F30E6-F402-62DF-2F05-000000006F02}8172C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279756Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.404{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279755Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.404{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279754Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.404{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279753Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.404{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279752Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.404{F81F30E6-D9BA-62DF-8100-000000006F02}38884056C:\Windows\system32\csrss.exe{F81F30E6-F402-62DF-3105-000000006F02}5180C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000279751Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.404{F81F30E6-F401-62DF-1E05-000000006F02}99209924C:\Windows\system32\cmd.exe{F81F30E6-F402-62DF-3105-000000006F02}5180C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8564|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000279750Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.412{F81F30E6-F402-62DF-3105-000000006F02}5180C:\Windows\System32\notepad.exe10.0.14393.4169 (rs1_release.210107-1130)NotepadMicrosoft® Windows® Operating SystemMicrosoft CorporationNOTEPAD.EXEnotepad.exe C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=BA78FCF8CA9D806C6C047357E31748DE,SHA256=34A07759492E31AEC2A009505FE8DFB50242375C4308AD4657B2872F4F75A077,IMPHASH=968239BE2020F1C0DAFFDCDBD49E9C82{F81F30E6-F401-62DF-1E05-000000006F02}9920C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" " 10341000x8000000000000000279749Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.404{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F402-62DF-3105-000000006F02}5180C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279748Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.404{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-F402-62DF-2805-000000006F02}10172C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279747Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.389{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-2105-000000006F02}10004C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279746Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.389{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-2105-000000006F02}10004C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279745Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.389{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F402-62DF-2E05-000000006F02}8156C:\Windows\system32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279744Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.389{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F402-62DF-2E05-000000006F02}8156C:\Windows\system32\notepad.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279743Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.389{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-2105-000000006F02}10004C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279742Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.389{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F402-62DF-2405-000000006F02}10072C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279741Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.389{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-2105-000000006F02}10004C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279740Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.389{F81F30E6-D9BA-62DF-8100-000000006F02}38884056C:\Windows\system32\csrss.exe{F81F30E6-F402-62DF-3005-000000006F02}6852C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000279739Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.389{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F402-62DF-3005-000000006F02}6852C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279738Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.389{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279737Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.389{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279736Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.389{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279735Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.389{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279734Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.389{F81F30E6-D9BA-62DF-8100-000000006F02}38884056C:\Windows\system32\csrss.exe{F81F30E6-F402-62DF-2F05-000000006F02}8172C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000279733Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.389{F81F30E6-F163-62DF-1F04-000000006F02}22644896C:\Temp\dcrat.exe{F81F30E6-F402-62DF-2F05-000000006F02}8172C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\System32\windows.storage.dll+16e7eb|C:\Windows\System32\windows.storage.dll+16e501|C:\Windows\System32\windows.storage.dll+16e14e|C:\Windows\System32\windows.storage.dll+16f3f0|C:\Windows\System32\windows.storage.dll+16de9e|C:\Windows\System32\windows.storage.dll+fce6d|C:\Windows\System32\windows.storage.dll+fd5ac|C:\Windows\System32\windows.storage.dll+fc910|C:\Windows\System32\shell32.dll+49cdf|C:\Windows\System32\shell32.dll+49b6c|C:\Windows\System32\shell32.dll+498bc|C:\Windows\System32\shell32.dll+10d2c7|C:\Windows\System32\shell32.dll+10d225|UNKNOWN(00007FF984B29B5F) 154100x8000000000000000279732Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.389{F81F30E6-F402-62DF-2F05-000000006F02}8172C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" "C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe"C:\Temp\dcrat.exe" 10341000x8000000000000000279731Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.389{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F402-62DF-2F05-000000006F02}8172C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279730Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.373{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-2705-000000006F02}10164C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279729Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.373{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-2705-000000006F02}10164C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279728Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.373{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-2705-000000006F02}10164C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279727Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.373{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-2705-000000006F02}10164C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279726Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.357{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279725Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.357{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279724Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.357{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279723Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.357{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279722Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.357{F81F30E6-D9BA-62DF-8100-000000006F02}38882172C:\Windows\system32\csrss.exe{F81F30E6-F402-62DF-2E05-000000006F02}8156C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000279721Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.357{F81F30E6-F401-62DF-1B05-000000006F02}98489852C:\Windows\system32\cmd.exe{F81F30E6-F402-62DF-2E05-000000006F02}8156C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8564|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000279720Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.364{F81F30E6-F402-62DF-2E05-000000006F02}8156C:\Windows\System32\notepad.exe10.0.14393.4169 (rs1_release.210107-1130)NotepadMicrosoft® Windows® Operating SystemMicrosoft CorporationNOTEPAD.EXEnotepad.exe C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=BA78FCF8CA9D806C6C047357E31748DE,SHA256=34A07759492E31AEC2A009505FE8DFB50242375C4308AD4657B2872F4F75A077,IMPHASH=968239BE2020F1C0DAFFDCDBD49E9C82{F81F30E6-F401-62DF-1B05-000000006F02}9848C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" " 10341000x8000000000000000279719Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.357{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F402-62DF-2E05-000000006F02}8156C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279718Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.357{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-1C05-000000006F02}9860C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279717Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.357{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-1C05-000000006F02}9860C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279716Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.357{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-1C05-000000006F02}9860C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279715Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.357{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-1C05-000000006F02}9860C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000279714Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.357{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA34295B5E271885F5D6A76ECB7817EC,SHA256=D73C35D9862E44B28104FE9A99DADE8A91E575BD6CAFB5E6FFA609D6FA3FF0D5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000279713Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.357{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F402-62DF-2405-000000006F02}10072C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279712Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.342{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-1805-000000006F02}9756C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279711Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.342{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F402-62DF-2D05-000000006F02}668C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279710Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.342{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-1805-000000006F02}9756C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279709Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.342{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-1805-000000006F02}9756C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279708Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.342{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F402-62DF-2D05-000000006F02}668C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279707Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.342{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-1805-000000006F02}9756C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279706Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.342{F81F30E6-F402-62DF-2D05-000000006F02}6687448C:\Windows\system32\conhost.exe{F81F30E6-F402-62DF-2C05-000000006F02}7408C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279705Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.289{F81F30E6-D9BA-62DF-8100-000000006F02}38882172C:\Windows\system32\csrss.exe{F81F30E6-F402-62DF-2D05-000000006F02}668C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000279704Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.289{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F402-62DF-2D05-000000006F02}668C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279703Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.289{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279702Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.289{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279701Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.289{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F401-62DF-2205-000000006F02}10012C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279700Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.289{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279699Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.289{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279698Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.289{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-F402-62DF-2505-000000006F02}10096C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279697Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.289{F81F30E6-D9BA-62DF-8100-000000006F02}38884516C:\Windows\system32\csrss.exe{F81F30E6-F402-62DF-2C05-000000006F02}7408C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000279696Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.289{F81F30E6-F163-62DF-1F04-000000006F02}22649300C:\Temp\dcrat.exe{F81F30E6-F402-62DF-2C05-000000006F02}7408C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\System32\windows.storage.dll+16e7eb|C:\Windows\System32\windows.storage.dll+16e501|C:\Windows\System32\windows.storage.dll+16e14e|C:\Windows\System32\windows.storage.dll+16f3f0|C:\Windows\System32\windows.storage.dll+16de9e|C:\Windows\System32\windows.storage.dll+fce6d|C:\Windows\System32\windows.storage.dll+fd5ac|C:\Windows\System32\windows.storage.dll+fc910|C:\Windows\System32\shell32.dll+49cdf|C:\Windows\System32\shell32.dll+49b6c|C:\Windows\System32\shell32.dll+498bc|C:\Windows\System32\shell32.dll+10d2c7|C:\Windows\System32\shell32.dll+10d225|UNKNOWN(00007FF984B29B5F) 154100x8000000000000000279695Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.294{F81F30E6-F402-62DF-2C05-000000006F02}7408C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" "C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe"C:\Temp\dcrat.exe" 10341000x8000000000000000279694Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.289{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F402-62DF-2C05-000000006F02}7408C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279693Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.289{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F401-62DF-1805-000000006F02}9756C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279692Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.273{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F402-62DF-2B05-000000006F02}9304C:\Windows\system32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279691Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.273{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F402-62DF-2B05-000000006F02}9304C:\Windows\system32\notepad.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279690Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.273{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F402-62DF-2A05-000000006F02}8276C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279689Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.273{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F402-62DF-2A05-000000006F02}8276C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279688Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.273{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-2405-000000006F02}10072C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279687Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.273{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-2405-000000006F02}10072C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279686Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.273{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-2405-000000006F02}10072C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279685Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.273{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-2405-000000006F02}10072C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279684Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.257{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F401-62DF-2205-000000006F02}10012C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279683Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.257{F81F30E6-F402-62DF-2A05-000000006F02}82769352C:\Windows\system32\conhost.exe{F81F30E6-F402-62DF-2905-000000006F02}10232C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279682Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.257{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F401-62DF-1805-000000006F02}9756C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279681Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.242{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279680Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.242{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279679Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.242{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279678Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.242{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279677Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.242{F81F30E6-D9BA-62DF-8100-000000006F02}38882172C:\Windows\system32\csrss.exe{F81F30E6-F402-62DF-2B05-000000006F02}9304C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000279676Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.242{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F402-62DF-2B05-000000006F02}9304C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279675Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.242{F81F30E6-F401-62DF-1905-000000006F02}97929796C:\Windows\system32\cmd.exe{F81F30E6-F402-62DF-2B05-000000006F02}9304C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8564|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000279674Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.253{F81F30E6-F402-62DF-2B05-000000006F02}9304C:\Windows\System32\notepad.exe10.0.14393.4169 (rs1_release.210107-1130)NotepadMicrosoft® Windows® Operating SystemMicrosoft CorporationNOTEPAD.EXEnotepad.exe C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=BA78FCF8CA9D806C6C047357E31748DE,SHA256=34A07759492E31AEC2A009505FE8DFB50242375C4308AD4657B2872F4F75A077,IMPHASH=968239BE2020F1C0DAFFDCDBD49E9C82{F81F30E6-F401-62DF-1905-000000006F02}9792C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" " 10341000x8000000000000000279673Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.242{F81F30E6-D9BA-62DF-8100-000000006F02}38884056C:\Windows\system32\csrss.exe{F81F30E6-F402-62DF-2A05-000000006F02}8276C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000279672Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.226{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-1E05-000000006F02}9920C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279671Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.226{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F402-62DF-2A05-000000006F02}8276C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279670Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.226{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-1E05-000000006F02}9920C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279669Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.226{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-1E05-000000006F02}9920C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279668Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.226{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-1E05-000000006F02}9920C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279667Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.226{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279666Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.226{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279665Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.226{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279664Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.226{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279663Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.226{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F401-62DF-1F05-000000006F02}9940C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279662Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.226{F81F30E6-D9BA-62DF-8100-000000006F02}38884056C:\Windows\system32\csrss.exe{F81F30E6-F402-62DF-2905-000000006F02}10232C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000279661Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.226{F81F30E6-F163-62DF-1F04-000000006F02}226410196C:\Temp\dcrat.exe{F81F30E6-F402-62DF-2905-000000006F02}10232C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\System32\windows.storage.dll+16e7eb|C:\Windows\System32\windows.storage.dll+16e501|C:\Windows\System32\windows.storage.dll+16e14e|C:\Windows\System32\windows.storage.dll+16f3f0|C:\Windows\System32\windows.storage.dll+16de9e|C:\Windows\System32\windows.storage.dll+fce6d|C:\Windows\System32\windows.storage.dll+fd5ac|C:\Windows\System32\windows.storage.dll+fc910|C:\Windows\System32\shell32.dll+49cdf|C:\Windows\System32\shell32.dll+49b6c|C:\Windows\System32\shell32.dll+498bc|C:\Windows\System32\shell32.dll+10d2c7|C:\Windows\System32\shell32.dll+10d225|UNKNOWN(00007FF984B29B5F) 154100x8000000000000000279660Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.237{F81F30E6-F402-62DF-2905-000000006F02}10232C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" "C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe"C:\Temp\dcrat.exe" 10341000x8000000000000000279659Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.226{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F402-62DF-2905-000000006F02}10232C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279658Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.226{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F402-62DF-2805-000000006F02}10172C:\Windows\system32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279657Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.226{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F402-62DF-2805-000000006F02}10172C:\Windows\system32\notepad.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279656Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.226{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F401-62DF-1D05-000000006F02}9868C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279655Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.222{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F401-62DF-1F05-000000006F02}9940C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279654Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.220{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-2205-000000006F02}10012C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279653Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.204{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-2205-000000006F02}10012C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279652Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.204{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-2205-000000006F02}10012C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279651Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.204{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F402-62DF-2705-000000006F02}10164C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279650Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.204{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-2205-000000006F02}10012C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279649Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.204{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F402-62DF-2705-000000006F02}10164C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279648Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.204{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-1805-000000006F02}9756C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279647Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.204{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-1805-000000006F02}9756C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279646Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.204{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-1805-000000006F02}9756C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279645Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.204{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-1805-000000006F02}9756C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279644Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.189{F81F30E6-F402-62DF-2705-000000006F02}1016410220C:\Windows\system32\conhost.exe{F81F30E6-F402-62DF-2605-000000006F02}10144C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279643Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.189{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F401-62DF-1D05-000000006F02}9868C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279642Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.189{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-F401-62DF-2005-000000006F02}9976C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279641Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.189{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279640Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.189{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279639Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.189{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279638Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.189{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279637Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.189{F81F30E6-D9BA-62DF-8100-000000006F02}38884516C:\Windows\system32\csrss.exe{F81F30E6-F402-62DF-2805-000000006F02}10172C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000279636Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.189{F81F30E6-F401-62DF-1605-000000006F02}97049708C:\Windows\system32\cmd.exe{F81F30E6-F402-62DF-2805-000000006F02}10172C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8564|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000279635Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.190{F81F30E6-F402-62DF-2805-000000006F02}10172C:\Windows\System32\notepad.exe10.0.14393.4169 (rs1_release.210107-1130)NotepadMicrosoft® Windows® Operating SystemMicrosoft CorporationNOTEPAD.EXEnotepad.exe C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=BA78FCF8CA9D806C6C047357E31748DE,SHA256=34A07759492E31AEC2A009505FE8DFB50242375C4308AD4657B2872F4F75A077,IMPHASH=968239BE2020F1C0DAFFDCDBD49E9C82{F81F30E6-F401-62DF-1605-000000006F02}9704C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" " 10341000x8000000000000000279634Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.189{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F402-62DF-2805-000000006F02}10172C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279633Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.189{F81F30E6-D9BA-62DF-8100-000000006F02}38884056C:\Windows\system32\csrss.exe{F81F30E6-F402-62DF-2705-000000006F02}10164C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000279632Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.173{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F402-62DF-2705-000000006F02}10164C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279631Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.173{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279630Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.173{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279629Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.173{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279628Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.173{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279627Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.173{F81F30E6-D9BA-62DF-8100-000000006F02}38884516C:\Windows\system32\csrss.exe{F81F30E6-F402-62DF-2605-000000006F02}10144C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000279626Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.173{F81F30E6-F163-62DF-1F04-000000006F02}226410128C:\Temp\dcrat.exe{F81F30E6-F402-62DF-2605-000000006F02}10144C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\System32\windows.storage.dll+16e7eb|C:\Windows\System32\windows.storage.dll+16e501|C:\Windows\System32\windows.storage.dll+16e14e|C:\Windows\System32\windows.storage.dll+16f3f0|C:\Windows\System32\windows.storage.dll+16de9e|C:\Windows\System32\windows.storage.dll+fce6d|C:\Windows\System32\windows.storage.dll+fd5ac|C:\Windows\System32\windows.storage.dll+fc910|C:\Windows\System32\shell32.dll+49cdf|C:\Windows\System32\shell32.dll+49b6c|C:\Windows\System32\shell32.dll+498bc|C:\Windows\System32\shell32.dll+10d2c7|C:\Windows\System32\shell32.dll+10d225|UNKNOWN(00007FF984B29B5F) 154100x8000000000000000279625Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.183{F81F30E6-F402-62DF-2605-000000006F02}10144C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" "C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe"C:\Temp\dcrat.exe" 10341000x8000000000000000279624Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.173{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F402-62DF-2605-000000006F02}10144C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279623Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.173{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-1B05-000000006F02}9848C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279622Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.173{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-1B05-000000006F02}9848C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279621Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.173{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-1B05-000000006F02}9848C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279620Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.173{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-1B05-000000006F02}9848C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279619Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.173{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F401-62DF-1305-000000006F02}9636C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279618Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.142{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F402-62DF-2505-000000006F02}10096C:\Windows\system32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000279617Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.142{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0CE03CDA78C5DDD39071310B2037978C,SHA256=FF0A381C46A25087A505049004A348800CE23104F80578711A039BCC092B9AEC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000279616Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.142{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F402-62DF-2505-000000006F02}10096C:\Windows\system32\notepad.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279615Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.126{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-1F05-000000006F02}9940C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279614Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.126{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-1F05-000000006F02}9940C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279613Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.126{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-1F05-000000006F02}9940C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279612Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.126{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-1F05-000000006F02}9940C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279611Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.126{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F402-62DF-2405-000000006F02}10072C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279610Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.126{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F402-62DF-2405-000000006F02}10072C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279609Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.105{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F401-62DF-1305-000000006F02}9636C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279608Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.105{F81F30E6-F402-62DF-2405-000000006F02}1007210124C:\Windows\system32\conhost.exe{F81F30E6-F402-62DF-2305-000000006F02}10056C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279607Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.105{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-1305-000000006F02}9636C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279606Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.090{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-1305-000000006F02}9636C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279605Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.090{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-1305-000000006F02}9636C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279604Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.090{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279603Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.090{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279602Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.090{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279601Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.090{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279600Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.090{F81F30E6-D9BA-62DF-8100-000000006F02}38884056C:\Windows\system32\csrss.exe{F81F30E6-F402-62DF-2505-000000006F02}10096C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000279599Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.090{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-1305-000000006F02}9636C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279598Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.073{F81F30E6-F401-62DF-1405-000000006F02}96689672C:\Windows\system32\cmd.exe{F81F30E6-F402-62DF-2505-000000006F02}10096C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8564|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000279597Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.088{F81F30E6-F402-62DF-2505-000000006F02}10096C:\Windows\System32\notepad.exe10.0.14393.4169 (rs1_release.210107-1130)NotepadMicrosoft® Windows® Operating SystemMicrosoft CorporationNOTEPAD.EXEnotepad.exe C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=BA78FCF8CA9D806C6C047357E31748DE,SHA256=34A07759492E31AEC2A009505FE8DFB50242375C4308AD4657B2872F4F75A077,IMPHASH=968239BE2020F1C0DAFFDCDBD49E9C82{F81F30E6-F401-62DF-1405-000000006F02}9668C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" " 10341000x8000000000000000279596Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.073{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F402-62DF-2505-000000006F02}10096C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279595Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.073{F81F30E6-D9BA-62DF-8100-000000006F02}38884516C:\Windows\system32\csrss.exe{F81F30E6-F402-62DF-2405-000000006F02}10072C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000279594Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.073{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F402-62DF-2405-000000006F02}10072C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279593Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.073{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F401-62DF-1A05-000000006F02}9808C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279592Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.058{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279591Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.058{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279590Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.058{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279589Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.058{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279588Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.058{F81F30E6-D9BA-62DF-8100-000000006F02}38884516C:\Windows\system32\csrss.exe{F81F30E6-F402-62DF-2305-000000006F02}10056C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000279587Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.058{F81F30E6-F163-62DF-1F04-000000006F02}226410036C:\Temp\dcrat.exe{F81F30E6-F402-62DF-2305-000000006F02}10056C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\System32\windows.storage.dll+16e7eb|C:\Windows\System32\windows.storage.dll+16e501|C:\Windows\System32\windows.storage.dll+16e14e|C:\Windows\System32\windows.storage.dll+16f3f0|C:\Windows\System32\windows.storage.dll+16de9e|C:\Windows\System32\windows.storage.dll+fce6d|C:\Windows\System32\windows.storage.dll+fd5ac|C:\Windows\System32\windows.storage.dll+fc910|C:\Windows\System32\shell32.dll+49cdf|C:\Windows\System32\shell32.dll+49b6c|C:\Windows\System32\shell32.dll+498bc|C:\Windows\System32\shell32.dll+10d2c7|C:\Windows\System32\shell32.dll+10d225|UNKNOWN(00007FF984B29B5F) 154100x8000000000000000279586Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.071{F81F30E6-F402-62DF-2305-000000006F02}10056C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" "C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe"C:\Temp\dcrat.exe" 10341000x8000000000000000279585Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.058{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F402-62DF-2305-000000006F02}10056C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279584Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.058{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-F401-62DF-1C05-000000006F02}9860C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279583Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.058{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-1D05-000000006F02}9868C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279582Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.058{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-1D05-000000006F02}9868C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279581Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.058{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-1D05-000000006F02}9868C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279580Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.058{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-1D05-000000006F02}9868C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279579Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.042{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F401-62DF-1A05-000000006F02}9808C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279578Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.025{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F401-62DF-2205-000000006F02}10012C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279577Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.025{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F401-62DF-2205-000000006F02}10012C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279576Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.025{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-1305-000000006F02}9636C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279575Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.024{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-1305-000000006F02}9636C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279574Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.024{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-1305-000000006F02}9636C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279573Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.024{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-1305-000000006F02}9636C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000279572Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.004{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD762797C208BF6320F64A6CE23743D8,SHA256=9586FBB639FD87DBED1D9B3C7925A471AC68582D578E494BFE0E2FE9999E6D11,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000280074Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:43.541{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280073Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:43.541{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280072Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:43.541{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280071Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:43.541{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280070Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:43.541{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280069Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:43.541{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280068Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:43.541{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280067Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:43.541{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000280066Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:43.421{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35BC97A08479D096A9CA9CB52B33605B,SHA256=91609DB0E9F305C993429FEE4EE9A0D625E49B9029056627D41A86C3348D3C3F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000280065Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:43.225{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-3A05-000000006F02}10356C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280064Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:43.225{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-3A05-000000006F02}10356C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280063Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:43.225{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-3A05-000000006F02}10356C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280062Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:43.225{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-3A05-000000006F02}10356C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280061Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:43.225{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-3A05-000000006F02}10356C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280060Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:43.225{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-3A05-000000006F02}10356C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280059Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:43.225{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-3A05-000000006F02}10356C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280058Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:43.225{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-3A05-000000006F02}10356C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280057Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:43.225{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-3905-000000006F02}10320C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280056Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:43.225{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-3905-000000006F02}10320C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280055Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:43.225{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-3905-000000006F02}10320C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280054Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:43.225{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-3905-000000006F02}10320C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280053Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:43.225{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-3805-000000006F02}10280C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280052Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:43.225{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-3805-000000006F02}10280C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280051Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:43.225{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-3805-000000006F02}10280C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280050Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:43.225{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-3805-000000006F02}10280C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280049Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:43.204{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-3705-000000006F02}5056C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280048Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:43.204{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-3705-000000006F02}5056C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280047Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:43.204{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-3705-000000006F02}5056C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280046Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:43.204{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-3705-000000006F02}5056C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280045Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:43.188{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-3605-000000006F02}9908C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280044Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:43.188{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-3605-000000006F02}9908C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280043Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:43.188{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-3605-000000006F02}9908C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280042Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:43.188{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-3605-000000006F02}9908C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280041Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:43.172{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-3505-000000006F02}8656C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280040Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:43.172{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-3505-000000006F02}8656C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280039Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:43.172{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-3505-000000006F02}8656C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280038Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:43.172{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-3505-000000006F02}8656C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280037Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:43.172{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F402-62DF-3A05-000000006F02}10356C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280036Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:43.157{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F402-62DF-3A05-000000006F02}10356C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280035Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:43.141{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F402-62DF-3905-000000006F02}10320C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280034Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:43.141{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-3A05-000000006F02}10356C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280033Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:43.141{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-3A05-000000006F02}10356C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280032Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:43.141{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-3A05-000000006F02}10356C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280031Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:43.141{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-3A05-000000006F02}10356C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280030Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:43.126{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F402-62DF-3905-000000006F02}10320C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280029Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:43.126{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F402-62DF-3805-000000006F02}10280C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280028Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:43.121{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F402-62DF-3805-000000006F02}10280C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280027Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:43.103{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-3905-000000006F02}10320C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280026Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:43.103{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-3905-000000006F02}10320C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280025Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:43.103{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-3905-000000006F02}10320C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280024Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:43.103{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-3905-000000006F02}10320C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280023Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:43.088{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F402-62DF-3705-000000006F02}5056C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280022Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:43.088{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-3405-000000006F02}7392C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280021Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:43.088{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-3405-000000006F02}7392C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280020Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:43.088{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-3405-000000006F02}7392C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280019Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:43.088{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-3405-000000006F02}7392C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000280018Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:43.088{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E76A8C75BCACDD1C53945CCBCE6F494,SHA256=9E69D1261EB8F70B882C2B49944ED96F7B5AB8E4DF39E5B69620D5436BFC6D1C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000280017Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:43.072{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-3805-000000006F02}10280C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280016Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:43.072{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-3805-000000006F02}10280C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280015Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:43.072{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-3805-000000006F02}10280C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280014Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:43.072{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-3805-000000006F02}10280C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280013Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:43.072{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-3105-000000006F02}5180C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280012Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:43.072{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-3105-000000006F02}5180C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280011Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:43.072{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-3105-000000006F02}5180C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280010Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:43.072{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-3105-000000006F02}5180C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280009Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:43.072{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F402-62DF-3705-000000006F02}5056C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280008Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:43.056{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-2E05-000000006F02}8156C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280007Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:43.056{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-2E05-000000006F02}8156C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280006Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:43.056{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-2E05-000000006F02}8156C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280005Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:43.056{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-2E05-000000006F02}8156C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280004Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:43.041{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F402-62DF-3605-000000006F02}9908C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280003Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:43.041{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-3705-000000006F02}5056C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280002Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:43.041{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-3705-000000006F02}5056C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280001Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:43.041{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-3705-000000006F02}5056C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280000Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:43.041{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-3705-000000006F02}5056C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000279999Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:43.041{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63E856FBE47D5132F450CFB77B508637,SHA256=8459163322F5F761AC5EC80EA2EFB680FE6186666A699AC9C3FAEFB215B0AC7C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000279998Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:43.025{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F402-62DF-3605-000000006F02}9908C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279997Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:43.022{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-2B05-000000006F02}9304C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279996Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:43.022{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-2B05-000000006F02}9304C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279995Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:43.022{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-2B05-000000006F02}9304C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279994Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:43.020{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-2B05-000000006F02}9304C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279993Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:43.003{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F402-62DF-3505-000000006F02}8656C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279992Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.988{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-F402-62DF-3A05-000000006F02}10356C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279991Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.988{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-3605-000000006F02}9908C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279990Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.988{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-3605-000000006F02}9908C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279989Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.988{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-3605-000000006F02}9908C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279988Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.988{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-3605-000000006F02}9908C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000053450Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:43.012{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0786259CF8B282DE8A32472A6A9E57C,SHA256=3A40784A2E2FA31E8A25C4E91ED00C4B2DBB1A86D10D054B9C3559062802F07B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000280075Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:44.125{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4EA2CB43E4DAE3791A77D31B7F39D3C4,SHA256=9779AE00D3D1FC006D6E277071B35AFB57DF796A92178474E636CAD99B547F35,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053451Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:44.106{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC4CF65EFC3CD6DCDD90DD2BE2C274C3,SHA256=2ED4704E6148356F71841C8197CEE32557C3E9EF0C14E2226F8508CEB908DBFB,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000053453Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:44.192{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal51037-false10.0.1.12-8000- 23542300x800000000000000053452Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:45.199{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1014EA51EB5A2488352CCD17773E5F0B,SHA256=F22BBD7E84A09A0AD4DB67BA1B05C03BA6F32AA1C294FAF54F57016E474FC8F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000280137Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:45.519{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC64E711DE80116C916822EDE5F3DD4C,SHA256=9DC37A42E61292ECA0DAF2FF224ED57D954DA52EA885885A4B6D26F8BA68D159,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000280136Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:45.487{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-F405-62DF-3D05-000000006F02}10504C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280135Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:45.487{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-F405-62DF-3D05-000000006F02}10504C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280134Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:45.487{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-F405-62DF-3D05-000000006F02}10504C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280133Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:45.487{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F405-62DF-3D05-000000006F02}10504C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280132Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:45.487{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F405-62DF-3D05-000000006F02}10504C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280131Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:45.471{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-F405-62DF-3D05-000000006F02}10504C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280130Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:45.471{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F405-62DF-3D05-000000006F02}10504C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280129Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:45.471{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F405-62DF-3D05-000000006F02}10504C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280128Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:45.471{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F405-62DF-3D05-000000006F02}10504C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280127Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:45.471{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F405-62DF-3D05-000000006F02}10504C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280126Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:45.471{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F405-62DF-3D05-000000006F02}10504C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280125Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:45.471{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F405-62DF-3D05-000000006F02}10504C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280124Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:45.471{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F405-62DF-3D05-000000006F02}10504C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280123Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:45.471{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F405-62DF-3D05-000000006F02}10504C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280122Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:45.455{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-F405-62DF-3D05-000000006F02}10504C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280121Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:45.440{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280120Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:45.440{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280119Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:45.440{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280118Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:45.440{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280117Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:45.440{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F405-62DF-3D05-000000006F02}10504C:\Windows\system32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280116Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:45.440{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F405-62DF-3D05-000000006F02}10504C:\Windows\system32\notepad.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280115Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:45.440{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280114Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:45.440{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280113Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:45.440{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280112Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:45.440{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280111Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:45.424{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280110Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:45.424{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280109Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:45.424{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280108Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:45.424{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280107Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:45.424{F81F30E6-D9BA-62DF-8100-000000006F02}38884516C:\Windows\system32\csrss.exe{F81F30E6-F405-62DF-3D05-000000006F02}10504C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000280106Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:45.424{F81F30E6-F405-62DF-3B05-000000006F02}1045210456C:\Windows\system32\cmd.exe{F81F30E6-F405-62DF-3D05-000000006F02}10504C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8564|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000280105Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:45.430{F81F30E6-F405-62DF-3D05-000000006F02}10504C:\Windows\System32\notepad.exe10.0.14393.4169 (rs1_release.210107-1130)NotepadMicrosoft® Windows® Operating SystemMicrosoft CorporationNOTEPAD.EXEnotepad.exe C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=BA78FCF8CA9D806C6C047357E31748DE,SHA256=34A07759492E31AEC2A009505FE8DFB50242375C4308AD4657B2872F4F75A077,IMPHASH=968239BE2020F1C0DAFFDCDBD49E9C82{F81F30E6-F405-62DF-3B05-000000006F02}10452C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" " 10341000x8000000000000000280104Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:45.424{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F405-62DF-3D05-000000006F02}10504C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280103Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:45.402{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-F405-62DF-3B05-000000006F02}10452C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280102Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:45.402{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-F405-62DF-3B05-000000006F02}10452C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280101Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:45.402{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-F405-62DF-3B05-000000006F02}10452C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280100Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:45.402{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F405-62DF-3C05-000000006F02}10460C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280099Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:45.402{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F405-62DF-3C05-000000006F02}10460C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280098Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:45.386{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-F405-62DF-3B05-000000006F02}10452C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280097Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:45.386{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F405-62DF-3B05-000000006F02}10452C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280096Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:45.386{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F405-62DF-3B05-000000006F02}10452C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280095Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:45.386{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F405-62DF-3B05-000000006F02}10452C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280094Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:45.386{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F405-62DF-3B05-000000006F02}10452C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280093Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:45.386{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F405-62DF-3C05-000000006F02}10460C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280092Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:45.386{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F405-62DF-3C05-000000006F02}10460C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280091Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:45.386{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F405-62DF-3C05-000000006F02}10460C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280090Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:45.386{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F405-62DF-3C05-000000006F02}10460C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280089Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:45.371{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F405-62DF-3C05-000000006F02}10460C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280088Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:45.371{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F405-62DF-3C05-000000006F02}10460C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280087Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:45.371{F81F30E6-F405-62DF-3C05-000000006F02}1046010480C:\Windows\system32\conhost.exe{F81F30E6-F405-62DF-3B05-000000006F02}10452C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280086Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:45.355{F81F30E6-D9BA-62DF-8100-000000006F02}38882172C:\Windows\system32\csrss.exe{F81F30E6-F405-62DF-3C05-000000006F02}10460C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000280085Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:45.355{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F405-62DF-3C05-000000006F02}10460C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280084Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:45.355{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280083Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:45.355{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280082Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:45.355{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280081Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:45.355{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280080Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:45.355{F81F30E6-D9BA-62DF-8100-000000006F02}38884056C:\Windows\system32\csrss.exe{F81F30E6-F405-62DF-3B05-000000006F02}10452C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000280079Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:45.355{F81F30E6-F163-62DF-1F04-000000006F02}226410448C:\Temp\dcrat.exe{F81F30E6-F405-62DF-3B05-000000006F02}10452C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\System32\windows.storage.dll+16e7eb|C:\Windows\System32\windows.storage.dll+16e501|C:\Windows\System32\windows.storage.dll+16e14e|C:\Windows\System32\windows.storage.dll+16f3f0|C:\Windows\System32\windows.storage.dll+16de9e|C:\Windows\System32\windows.storage.dll+fce6d|C:\Windows\System32\windows.storage.dll+fd5ac|C:\Windows\System32\windows.storage.dll+fc910|C:\Windows\System32\shell32.dll+49cdf|C:\Windows\System32\shell32.dll+49b6c|C:\Windows\System32\shell32.dll+498bc|C:\Windows\System32\shell32.dll+10d2c7|C:\Windows\System32\shell32.dll+10d225|UNKNOWN(00007FF984B29B5F) 154100x8000000000000000280078Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:45.359{F81F30E6-F405-62DF-3B05-000000006F02}10452C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" "C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe"C:\Temp\dcrat.exe" 10341000x8000000000000000280077Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:45.355{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F405-62DF-3B05-000000006F02}10452C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000280076Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:45.255{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E18E4CB74DA5EDBEA5161E9B9793983D,SHA256=FE7BD4768BDFEB5A2644256C7A65331B0E754CFD7C5B46E905E7B16203259329,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053455Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:46.293{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5595E2FC5BA73E8189883BC11CACE65,SHA256=3EA9307E1528A6B4BF42C8D2CAFFABF8ED19DE48ADB817522F3428476C9578DE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000280146Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:46.539{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280145Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:46.539{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280144Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:46.539{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280143Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:46.539{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280142Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:46.539{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280141Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:46.539{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280140Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:46.539{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280139Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:46.539{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000280138Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:46.386{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24D3D5F9ED3D193F8A3B9F2A97130E1E,SHA256=2733B1311ABC57BD0F247218DD1A3CDDF56F643924B9990525C69A3A369771A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053454Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:46.012{53069400-D97D-62DF-1E00-000000007002}1940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=179B82772CA5CC0B7A1E30B10EC3DA68,SHA256=BB39CA45713EEF29F8964A50A9025571F90083A2F6169622A7CAAB4EAC5409CB,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000053458Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:46.068{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal51038-false10.0.1.12-8089- 23542300x800000000000000053457Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:47.387{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82F31C88412490EDB70ADBC6F977C7F3,SHA256=9FD6B97F1917DB02ACB50845324BEE092C6E10ECF5483B02D979F905832227FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000280147Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:47.501{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C3722C060DA5795B85B065CF3C4E228,SHA256=E09C8E6F45453763ED612BC7C44E6C354D308AA2AE1EB5831B24388D14012026,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053456Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:47.168{53069400-D97D-62DF-1E00-000000007002}1940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=5D02DDD1BEA22AA58CC5236F247091A6,SHA256=70B755EE9E0E81E86DC5585C987CA2D6825C8183FC3769E2AF7B34B30F0EE7F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053459Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:48.481{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB87DDF6FBEEE3A9C85511EAA77EDF3A,SHA256=78E0D1E261C60A0E23637406134BF83953F2845F63E1C5E1DAA44F131327B63F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000280148Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:48.538{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5C31AC7E6C903562703F02398219219,SHA256=FD8E978C2AA1B2B4B0A7E0A139570A881A8F17FEC978CF9866DF6CE5728479E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053460Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:49.574{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78BC6B8BE8F1A31E20C2A649189C7EEF,SHA256=DF61DEEC76D109EB21B64A8A7D9DAB44F55BCEB1FECB304316936EEDF3192373,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000280151Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:49.568{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7C4FF7CD83BE7A3885717ED6AA71931,SHA256=4BDC3CD35DB70EC127EE904815EA84ACAC61748E5D239B2EF7DBA8E59959BDB6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000280150Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:46.129{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local64970-false10.0.1.12-8000- 23542300x8000000000000000280149Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:49.020{F81F30E6-D98A-62DF-2E00-000000006F02}2780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=375770933B088FA1013E9C17F7ACFA9C,SHA256=12DC730ED0C3CEF15E2072F184E79ED116E6C7FEA32581084F03B1ADA228E22B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053461Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:50.668{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF3A6B906C2286E84B00B6B77BC4D3FF,SHA256=771FB1B7CFE6EBDEF0B17B7C749CE9F6D8FCB9E6CD6C514BECBECFC5E13FB090,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000280153Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:50.598{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8785A2F4B02D5A5ECD1CA1FDBC615906,SHA256=A202A0A93ACF1F9A6661BE19DCE2FC81FB2160DA4E389139017082FFE9246B71,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000280152Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:48.012{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local64971-false10.0.1.12-8089- 354300x800000000000000053463Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:50.208{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal51039-false10.0.1.12-8000- 23542300x800000000000000053462Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:51.762{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95EF05798787A7A3B15C427063D01471,SHA256=9ED2AA9356E52EF8866B27F0D21383356D00509E4F1EBB0FE7F3581E78867224,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000280154Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:51.751{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8AB8CD8EFA7AECFFBEF3999882B6801,SHA256=EC23E8DC7C2B34654C377F4D5DC3F703F73147FC3D6EB9DD4841D141B5494DE5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053464Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:52.856{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75BD12F89176E9703757F72D2B386C1B,SHA256=C2CFE3B31EDD01FD402410753E698DC07FCBE7619C5A7994D6275B30BA87215A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000280155Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:52.797{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3EB0D48D464F00CD7FB4489C0D02CEC,SHA256=A57D66E0B623FB582FFD7B8D37C9FD0B401C62DCA141C9DD43D7DED30A2210F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053465Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:53.949{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33EA17C7E9304FE0A14FFCADBE646D66,SHA256=9517D47D7F26251A32C57026AAAD3719C499D69F15BF19EFE5646C348D323A44,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000280158Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:53.833{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC008E2CD95B1D8CE149429FE3F2131A,SHA256=1809D9AF25FBE7A16D2D6DB386A4111998D320AE8168C381F1899211B1D266CD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000280157Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:53.765{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280156Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:53.765{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000280162Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:54.953{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60E7EAA5E4D5D8BB2A60BE8B9977AA7F,SHA256=D092CBE727C166715264E4E5D490B68C5AD44536A32ECA4C7CB45EADA0F7126D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000280161Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:52.062{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local64972-false10.0.1.12-8000- 10341000x8000000000000000280160Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:54.466{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280159Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:54.466{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000053466Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:55.043{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=038188FB892D9C80BA14202626E62B2A,SHA256=C5F49AC912E5DEE4584BCA3118B0C8B72C71E93ACC297CD3DA71DFB6618E75E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053467Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:56.137{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D966384FA6B3C1AB7EFE574762424DE3,SHA256=3EABDCBF02FC0A8E67B08B98E0F4B979C0BF660043293E0AA177DCE0E4B0C4D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000280163Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:56.054{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=390E6E0D790B960BB7BD2A7730545FFC,SHA256=FA0FDD97CABD89BBCC752E8818B1B12D8FE35F915CADDD003183D0886632C9D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053468Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:57.231{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE1D5231ACC9F5FD22A7ACB3786FD2A2,SHA256=A8B5F95BB0BE75219B77AE3921ED5B7291F98D61D027DE0FD8323BF48B9227DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000280164Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:57.099{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ECAA60B1C9941B3FE82DAE0442212E32,SHA256=FB0DD70BEA2D314ADD7107A87557F71CEA6D19A43DFC1D66F833CACB61028FC8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053470Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:58.324{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E5F92F81E9DF6573956559AEB9633B7,SHA256=15200313A10985E0D3F55B014123843FCE7B44FDB345B33209CB4E64E9805DA5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000280165Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:58.151{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A34DF97FFCB5658049C299103F1FF972,SHA256=8B3462B06C652D1590FDDFFB5D5296246D70615B37325EAC9ED1C08BB8905235,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000053469Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:56.271{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal51040-false10.0.1.12-8000- 23542300x800000000000000053471Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:59.418{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F526227A74753C5C6180E41D80ED607E,SHA256=DD4154226D2D2276235682AD7EF4ACFE1EE29F7475481D4F0CC7178CD3D078AF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000280167Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:57.247{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local64973-false10.0.1.12-8000- 23542300x8000000000000000280166Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:59.182{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB1322C816EBB275D023B4BC8B1D242F,SHA256=AFFD7E536F314C297788F1529C763B81DF20771713EB529255D655E266BCCD77,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053472Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:00.512{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CACA53675110ADF6493E967097BB99EC,SHA256=D71010B96E022D2F2FD080D41ABE4B1CEC67A53F885FA91AA995A9F94E730676,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000280169Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:00.933{F81F30E6-D98A-62DF-2E00-000000006F02}2780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=B966BA3F8EF5160FB05F6DAA2D06FA4E,SHA256=28933204C4FC71AF96FF476D91678B080128B06F75224CCE0D95E36BFA4928D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000280168Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:00.234{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF363407626259A080992B6B0AEEB16D,SHA256=EC116E847E1C17333C237E20CD91D321D7BFA5E4A7266C5C14C573BBF52C8D58,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053473Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:01.606{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CDFABCACD29780967CF124A9658655F6,SHA256=C6A19E2959AFCE04BEFA405440F99DB672D0FD9907E8384C9B6FEC19611F9266,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000280170Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:01.279{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E2963ADC477EB8E3D314053B5442865,SHA256=5A2E06255D6F77AB782271A1A9BA770B5A2D7CF0E4DAA0D09A316BD543905762,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053474Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:02.699{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0101D39275AEFF22375B0FF2B401B88C,SHA256=C4E0869A5B56E8D0DB09B1081D25E428C798DF90B1E3CBA2DD0D63710E3C3F12,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000280171Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:02.311{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=037F6888EE0CE961A64BE8737C12F768,SHA256=A04C5980C124DCE2B0AC7DB437D3E04A5B0E7C2CDC028C5DAB67EB61D7B7CBE4,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000053476Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:02.286{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal51041-false10.0.1.12-8000- 23542300x800000000000000053475Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:03.793{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CFD7320435143B01213D0C3A10717925,SHA256=911154CCC66756A74A5356DC02074389C8033B5005C54D523A13B8D7CEC18291,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000280230Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:03.830{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=53C69D6236F9713FFC42407A363B777B,SHA256=3C00142F04E09C8A9832C3F721CB974D78D63349943C12669BD82AA8E7474375,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000280229Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:03.630{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71230E20B3BB2EF08F23623792FAC460,SHA256=7B6D64E9D4A2E5D97DBAEBED055FCA869F21AACFA44B9EB5C8890A949C2C8904,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000280228Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:03.315{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F417-62DF-4005-000000006F02}10696C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280227Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:03.315{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F417-62DF-4005-000000006F02}10696C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280226Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:03.315{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F417-62DF-4005-000000006F02}10696C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280225Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:03.315{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F417-62DF-4005-000000006F02}10696C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280224Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:03.315{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F417-62DF-4005-000000006F02}10696C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280223Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:03.293{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-F417-62DF-4005-000000006F02}10696C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280222Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:03.293{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-F417-62DF-4005-000000006F02}10696C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280221Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:03.293{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-F417-62DF-4005-000000006F02}10696C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280220Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:03.293{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-F417-62DF-4005-000000006F02}10696C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280219Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:03.293{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-F417-62DF-4005-000000006F02}10696C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280218Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:03.293{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F417-62DF-4005-000000006F02}10696C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280217Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:03.293{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F417-62DF-4005-000000006F02}10696C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280216Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:03.293{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F417-62DF-4005-000000006F02}10696C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280215Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:03.293{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F417-62DF-4005-000000006F02}10696C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280214Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:03.293{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-F417-62DF-4005-000000006F02}10696C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280213Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:03.262{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F417-62DF-4005-000000006F02}10696C:\Windows\system32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280212Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:03.262{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F417-62DF-4005-000000006F02}10696C:\Windows\system32\notepad.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280211Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:03.246{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280210Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:03.246{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280209Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:03.246{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280208Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:03.246{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280207Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:03.246{F81F30E6-D9BA-62DF-8100-000000006F02}38884056C:\Windows\system32\csrss.exe{F81F30E6-F417-62DF-4005-000000006F02}10696C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000280206Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:03.246{F81F30E6-F417-62DF-3E05-000000006F02}1064410648C:\Windows\system32\cmd.exe{F81F30E6-F417-62DF-4005-000000006F02}10696C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8564|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000280205Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:03.258{F81F30E6-F417-62DF-4005-000000006F02}10696C:\Windows\System32\notepad.exe10.0.14393.4169 (rs1_release.210107-1130)NotepadMicrosoft® Windows® Operating SystemMicrosoft CorporationNOTEPAD.EXEnotepad.exe C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=BA78FCF8CA9D806C6C047357E31748DE,SHA256=34A07759492E31AEC2A009505FE8DFB50242375C4308AD4657B2872F4F75A077,IMPHASH=968239BE2020F1C0DAFFDCDBD49E9C82{F81F30E6-F417-62DF-3E05-000000006F02}10644C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" " 10341000x8000000000000000280204Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:03.246{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F417-62DF-4005-000000006F02}10696C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280203Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:03.231{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280202Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:03.231{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280201Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:03.231{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280200Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:03.231{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280199Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:03.231{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F417-62DF-3F05-000000006F02}10652C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280198Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:03.231{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F417-62DF-3F05-000000006F02}10652C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280197Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:03.231{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280196Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:03.231{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280195Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:03.231{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280194Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:03.231{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280193Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:03.215{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-F417-62DF-3E05-000000006F02}10644C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280192Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:03.215{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-F417-62DF-3E05-000000006F02}10644C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280191Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:03.215{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-F417-62DF-3E05-000000006F02}10644C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280190Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:03.215{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-F417-62DF-3E05-000000006F02}10644C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280189Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:03.215{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-F417-62DF-3E05-000000006F02}10644C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280188Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:03.215{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F417-62DF-3F05-000000006F02}10652C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280187Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:03.215{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F417-62DF-3F05-000000006F02}10652C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280186Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:03.215{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F417-62DF-3F05-000000006F02}10652C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280185Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:03.215{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F417-62DF-3F05-000000006F02}10652C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280184Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:03.215{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F417-62DF-3F05-000000006F02}10652C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280183Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:03.215{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F417-62DF-3F05-000000006F02}10652C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280182Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:03.211{F81F30E6-F417-62DF-3F05-000000006F02}1065210672C:\Windows\system32\conhost.exe{F81F30E6-F417-62DF-3E05-000000006F02}10644C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280181Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:03.193{F81F30E6-D9BA-62DF-8100-000000006F02}38884516C:\Windows\system32\csrss.exe{F81F30E6-F417-62DF-3F05-000000006F02}10652C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000280180Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:03.193{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F417-62DF-3F05-000000006F02}10652C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280179Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:03.177{F81F30E6-D9BA-62DF-8100-000000006F02}38884056C:\Windows\system32\csrss.exe{F81F30E6-F417-62DF-3E05-000000006F02}10644C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000280178Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:03.177{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280177Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:03.177{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280176Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:03.177{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280175Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:03.177{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280174Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:03.177{F81F30E6-F163-62DF-1F04-000000006F02}226410640C:\Temp\dcrat.exe{F81F30E6-F417-62DF-3E05-000000006F02}10644C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\System32\windows.storage.dll+16e7eb|C:\Windows\System32\windows.storage.dll+16e501|C:\Windows\System32\windows.storage.dll+16e14e|C:\Windows\System32\windows.storage.dll+16f3f0|C:\Windows\System32\windows.storage.dll+16de9e|C:\Windows\System32\windows.storage.dll+fce6d|C:\Windows\System32\windows.storage.dll+fd5ac|C:\Windows\System32\windows.storage.dll+fc910|C:\Windows\System32\shell32.dll+49cdf|C:\Windows\System32\shell32.dll+49b6c|C:\Windows\System32\shell32.dll+498bc|C:\Windows\System32\shell32.dll+10d2c7|C:\Windows\System32\shell32.dll+10d225|UNKNOWN(00007FF984B29B5F) 154100x8000000000000000280173Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:03.189{F81F30E6-F417-62DF-3E05-000000006F02}10644C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" "C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe"C:\Temp\dcrat.exe" 10341000x8000000000000000280172Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:03.177{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F417-62DF-3E05-000000006F02}10644C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000053477Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:04.887{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E080E9EE9DF652E7B567F355CAE0C33C,SHA256=8E097A68E73F753925238EDAEEC933A81BBD4C90DAF07BDA91153659AC4089C5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000280241Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:01.722{F81F30E6-D97A-62DF-0B00-000000006F02}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local64974-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local389ldap 354300x8000000000000000280240Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:01.722{F81F30E6-D98A-62DF-2600-000000006F02}2568C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local64974-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local389ldap 23542300x8000000000000000280239Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:04.761{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=58EF360CE787121545F9212EDC873685,SHA256=F25EE7042C26B2819615D27647B6F11C1BADE0D8BD4811DC1987D7493A74613C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000280238Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:04.714{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280237Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:04.714{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280236Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:04.714{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280235Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:04.714{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280234Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:04.711{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280233Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:04.711{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280232Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:04.711{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280231Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:04.711{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000053478Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:05.981{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E948EFDE16C7E99837DAB62A9A894FD,SHA256=F7F092F4C3173B64FD714A1524C5E59BB3D84AA29E349D3EDE1FBC7D819B11E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000280243Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:05.911{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97E3E0EC55D104A16857A9EA1FD16742,SHA256=FC33991BD093E1DF2E3633FB57F9048FB8BE1CA235167A4C9B6ED93BF723A8A8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000280242Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:03.158{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local64975-false10.0.1.12-8000- 23542300x8000000000000000280244Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:06.943{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CFBE80A05AD0CAF859E2663F57C999DF,SHA256=BCD8EAC67E9FAD610F945D449A264D271405E51A7FB9DBB53CA8965F9FB85D96,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053479Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:07.074{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FCE8FD8D8895425DDBE6409C073943F0,SHA256=32208D278DD1AFC04839580584725E8A6DAB77CB1C7F6BF87D4CF6D8DE8202C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053480Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:08.168{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3A76214EB66DA2EE525774D119AE104,SHA256=0038D8BFBD8EF162E57ECD46DB80825FEF3E012EF2085BD5EDF1BED4C486EB66,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000280247Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:08.108{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280246Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:08.108{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000280245Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:08.059{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82A09991D601F1C050DA832E24AA14C2,SHA256=2D8F9879C676A55FF7009040E97B85B4975A3EF1335E11164EA4E4AA1DBD9A5F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053481Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:09.262{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4ED2803B4DCF9A385A096D3536AF87CB,SHA256=5150790B3602E84E23907F60A831C25D37A61A5C3F0EBBAA6648AA914C84810C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000280250Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:09.559{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280249Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:09.559{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000280248Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:09.190{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE0B5BE832EB8DDDF05E21F4FC092D63,SHA256=185A92C26D28D4E4B339AFEE6DC8970BC5283C9218B5F266A094C63CDA71226C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000053483Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:08.114{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal51042-false10.0.1.12-8000- 23542300x800000000000000053482Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:10.356{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C400AD7D12588064D5CB0E1850E2EC4,SHA256=A95720F3DA7735E66D3BBD6DC516BB0C01EAF937791E87AC2E7CB1FFE9D0778A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000280253Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:10.858{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280252Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:10.858{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000280251Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:10.290{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5895FEED4444AE28357D21AA2ADB849C,SHA256=FFDF0CF8175C49D1157C5EF7653BA2A7C1211F2779CA2EF3E014A814E3BCD162,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053484Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:11.449{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B2DA163638155AC4B5D43E77388F446,SHA256=2FFAEF0B6F6CC7FF91DDE7DC0706EE8BB5EF46408E105E7C298AF17252232CD7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000280254Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:11.407{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C2A76B01035140C446ABFA7F8BA1896,SHA256=ED508FF81E0DB5587DB4F5EFE93771001A3C16B2E57B7B73A45C515410519E86,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000280256Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:12.542{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7F3B493EDAED1780B3D532D982A3CCD,SHA256=D74DF97B8FEB7F62AFDBF1706CDF43961CAFAC4D57489F5FE4F65E54E10EE2D2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000053512Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:12.871{53069400-D97E-62DF-2900-000000007002}27802800C:\Windows\system32\conhost.exe{53069400-F420-62DF-9503-000000007002}1284C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053511Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:12.871{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053510Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:12.871{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053509Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:12.871{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053508Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:12.871{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053507Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:12.871{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053506Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:12.871{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053505Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:12.871{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053504Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:12.871{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053503Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:12.871{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053502Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:12.871{53069400-D97C-62DF-0500-000000007002}412428C:\Windows\system32\csrss.exe{53069400-F420-62DF-9503-000000007002}1284C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000053501Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:12.871{53069400-D97D-62DF-1E00-000000007002}19402768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53069400-F420-62DF-9503-000000007002}1284C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000053500Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:12.872{53069400-F420-62DF-9503-000000007002}1284C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53069400-D97C-62DF-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000053499Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:12.543{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4FFD7D4CA85B88E5AE061466B7AC3CD7,SHA256=275E90C2AACFB41308ABD6CCB43F21784AE55AFD67805E8C7A1B4E8FA6CF7CFF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000053498Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:12.387{53069400-F420-62DF-9403-000000007002}3096596C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053497Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:12.199{53069400-D97E-62DF-2900-000000007002}27802800C:\Windows\system32\conhost.exe{53069400-F420-62DF-9403-000000007002}3096C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053496Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:12.199{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053495Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:12.199{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053494Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:12.199{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053493Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:12.199{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053492Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:12.199{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053491Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:12.199{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053490Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:12.199{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053489Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:12.199{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053488Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:12.199{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053487Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:12.199{53069400-D97C-62DF-0500-000000007002}4121248C:\Windows\system32\csrss.exe{53069400-F420-62DF-9403-000000007002}3096C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000053486Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:12.199{53069400-D97D-62DF-1E00-000000007002}19402768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53069400-F420-62DF-9403-000000007002}3096C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000053485Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:12.200{53069400-F420-62DF-9403-000000007002}3096C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53069400-D97C-62DF-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000280255Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:09.171{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local64976-false10.0.1.12-8000- 23542300x8000000000000000280257Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:13.589{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0C6ECB65FD939D85FDD7A3EB6EBC438,SHA256=091BD957856EE4C87046D81C0329D41239FD09B67D6C18354CB6EBE5A8A25FE9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000053541Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:13.871{53069400-D97E-62DF-2900-000000007002}27802800C:\Windows\system32\conhost.exe{53069400-F421-62DF-9703-000000007002}2792C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000053540Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:13.871{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B3A06D776D4DA9AB30F93A81796C993,SHA256=127740789E77D52B016F133A8B0D5B4BDF0EEC4428816416BB96613E7657AC3B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000053539Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:13.871{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053538Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:13.871{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053537Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:13.871{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053536Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:13.871{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053535Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:13.871{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053534Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:13.871{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053533Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:13.871{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053532Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:13.871{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053531Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:13.871{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053530Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:13.871{53069400-D97C-62DF-0500-000000007002}412428C:\Windows\system32\csrss.exe{53069400-F421-62DF-9703-000000007002}2792C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000053529Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:13.871{53069400-D97D-62DF-1E00-000000007002}19402768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53069400-F421-62DF-9703-000000007002}2792C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000053528Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:13.872{53069400-F421-62DF-9703-000000007002}2792C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53069400-D97C-62DF-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000053527Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:13.371{53069400-D97E-62DF-2900-000000007002}27802800C:\Windows\system32\conhost.exe{53069400-F421-62DF-9603-000000007002}2676C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053526Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:13.371{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053525Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:13.371{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053524Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:13.371{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053523Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:13.371{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053522Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:13.371{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053521Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:13.371{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053520Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:13.371{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053519Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:13.371{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053518Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:13.371{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053517Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:13.371{53069400-D97C-62DF-0500-000000007002}412428C:\Windows\system32\csrss.exe{53069400-F421-62DF-9603-000000007002}2676C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000053516Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:13.371{53069400-D97D-62DF-1E00-000000007002}19402768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53069400-F421-62DF-9603-000000007002}2676C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000053515Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:13.372{53069400-F421-62DF-9603-000000007002}2676C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53069400-D97C-62DF-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000053514Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:13.293{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=239F9A15EE9689A43E24F47EC8D1DACA,SHA256=29F172CB147799F172865B536934947459AA9B7FAF6B9CF15EC51BB20AD5A8D7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000053513Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:13.074{53069400-F420-62DF-9503-000000007002}12842652C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000280258Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:14.689{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A208FAF078122D5FDA337E5DE5FADBA8,SHA256=EBF495120363E1C6C2E6B6C069AFA76AADC0DC020383885878D0D1FE7E8D6AC1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000053555Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:14.700{53069400-F422-62DF-9803-000000007002}7161220C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053554Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:14.543{53069400-D97E-62DF-2900-000000007002}27802800C:\Windows\system32\conhost.exe{53069400-F422-62DF-9803-000000007002}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053553Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:14.543{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053552Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:14.543{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053551Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:14.543{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053550Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:14.543{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053549Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:14.543{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053548Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:14.543{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053547Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:14.543{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053546Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:14.543{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053545Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:14.543{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053544Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:14.543{53069400-D97C-62DF-0500-000000007002}4121248C:\Windows\system32\csrss.exe{53069400-F422-62DF-9803-000000007002}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000053543Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:14.543{53069400-D97D-62DF-1E00-000000007002}19402768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53069400-F422-62DF-9803-000000007002}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000053542Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:14.544{53069400-F422-62DF-9803-000000007002}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53069400-D97C-62DF-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000280259Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:15.741{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D81E277DF6988DF802C20286C189F3F4,SHA256=41DF082E417DFC222C3715A03EC822C3371D8C79DE318898FA13B0EE20F1A730,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000053584Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:15.715{53069400-D97E-62DF-2900-000000007002}27802800C:\Windows\system32\conhost.exe{53069400-F423-62DF-9A03-000000007002}3416C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053583Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:15.715{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053582Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:15.715{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053581Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:15.715{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053580Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:15.715{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053579Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:15.715{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053578Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:15.715{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053577Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:15.715{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053576Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:15.715{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053575Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:15.715{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053574Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:15.715{53069400-D97C-62DF-0500-000000007002}4121248C:\Windows\system32\csrss.exe{53069400-F423-62DF-9A03-000000007002}3416C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000053573Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:15.715{53069400-D97D-62DF-1E00-000000007002}19402768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53069400-F423-62DF-9A03-000000007002}3416C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000053572Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:15.716{53069400-F423-62DF-9A03-000000007002}3416C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53069400-D97C-62DF-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000053571Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:15.451{53069400-F423-62DF-9903-000000007002}9523708C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000053570Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:13.317{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal51043-false10.0.1.12-8000- 10341000x800000000000000053569Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:15.215{53069400-D97E-62DF-2900-000000007002}27802800C:\Windows\system32\conhost.exe{53069400-F423-62DF-9903-000000007002}952C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053568Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:15.215{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053567Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:15.215{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053566Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:15.215{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053565Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:15.215{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053564Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:15.215{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053563Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:15.215{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053562Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:15.215{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053561Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:15.215{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053560Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:15.215{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053559Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:15.215{53069400-D97C-62DF-0500-000000007002}4121248C:\Windows\system32\csrss.exe{53069400-F423-62DF-9903-000000007002}952C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000053558Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:15.215{53069400-D97D-62DF-1E00-000000007002}19402768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53069400-F423-62DF-9903-000000007002}952C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000053557Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:15.216{53069400-F423-62DF-9903-000000007002}952C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{53069400-D97C-62DF-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000053556Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:15.012{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B88854D0FAB88308CC0DA3E813E38D3F,SHA256=B2A034654A6CA359989F01716AC95A8F5091EB5D84439B26661C9CDBE6BD3344,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000280260Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:16.887{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F391EB48CACE6B3F0BF0D04606D8AAF,SHA256=ED344806377B7BEF0566AA0FDAAB59415347E421C0586431BD1C9B60CAA5088C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053585Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:16.262{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E2267ABE79562FD16DCB7444DC41AAB,SHA256=5D5059A0B79731ED10187F1E81E264F49804CAEAD7DA32DFC8C67B56DF170C5D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000280261Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:17.972{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E15649BD3E01077F4EA4017DFCC6D67,SHA256=C5D312608474860495D75CD060CA6EEE10A2E965806C541E3115B69940A9FFDE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053587Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:17.418{53069400-D97D-62DF-1E00-000000007002}1940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=30C8358FA73EA96314772F0940331E63,SHA256=DAAE4BCD13B6C590A0EC898589E02B509B7EE9414689770BFFB5597EB2134D20,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053586Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:17.309{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5192D84E1BAF3C0AD1E1AA5EB705B7C1,SHA256=841B337EA173902D5D4DA1E2E378CDC7C9259324F289E739A5E510561202F887,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053588Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:18.402{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2AADB0815635442E4CFE063034798A33,SHA256=67BAF8A2FC6090251BC136A4C7353C6D0B8B30A4AFE539D42A8852016375AF84,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000280262Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:15.168{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local64977-false10.0.1.12-8000- 23542300x800000000000000053589Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:19.496{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=365EE3E0F7DF04B5D4EB7F1B2608F729,SHA256=808F74C2C67F56AE76A2D12E5704BB2A4E624BF7267D758B5E97FF238E973A23,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000280265Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:19.424{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280264Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:19.424{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000280263Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:19.105{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C05689DBF5E0E5919486F94C0223F54,SHA256=738A25B19567482CC8AD03B9D0AB244032E1D2A9B383C6D61770477308F6E8CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053591Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:20.699{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B45DAB8294C2C61821D71F3853DDB636,SHA256=5CFB818951977F3BBD43BB4B57371CA0FDF740832055578CD28DADBF8BF2A831,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000280266Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:20.231{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A429F704C88CB7693A38695B89B27A0,SHA256=91B7DEF834490313700C02A8A76DEA6DF904D985B543A9D1E42A84649CB25980,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000053590Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:19.333{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal51044-false10.0.1.12-8000- 23542300x800000000000000053592Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:21.793{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E899940D653FFFCABA9FCBE9ED30CB13,SHA256=959AF897F9805DC374BE947C585B255A5391DFFF85CFBE129BF0C0B5A5EBB42E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000280267Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:21.253{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=480DDF8106736049C8553E0EB6B4A6F5,SHA256=E184B42D0FDC325D0FDA73FC9FCE8982E242E9F9ADDD9DD6DD15D995BE5B90E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053593Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:22.887{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53D7935320A423E86D8C740B17A9456B,SHA256=8C1A8AF87C2D68BCD2CAE18DA06D5C5F68218E826A15779AE964185FD734E3E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000280268Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:22.304{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CBFED3EBA16DD08F83F8043E7B55514,SHA256=90837FDEACD6724EC7D62AA0B259EACEC6C9F048BF44E42E4094555CB83BA203,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053594Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:23.982{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C205DB42B647F713C82F4CD4C607A7DA,SHA256=9A97FFD86134C1F76FDDB69485F465FB0D7485CDBB1844BFE366307FC1C79E3A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000280269Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:23.419{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13941B2B3F86E6078698555B67DB7875,SHA256=EF6C92A768A133063A732566C5E42D8452F6147C17D074F20C5F7F43BC0060FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000280271Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:24.471{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03E031A5C318BED585BB3B9263BD11D0,SHA256=1F597B1B427AC4FDB647C55874AC11ED47AB536D3106DA59B995B1E671D2665B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053595Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:24.171{53069400-D97D-62DF-1C00-000000007002}1896NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0923b0b66bc46ec04\channels\health\respondent-20220726120936-110MD5=F10909D358012860607A88999540BE61,SHA256=618099B8C52552D13629F748BAC7127C20F9D45615160D64360388A771E36D7B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000280270Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:21.167{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local64978-false10.0.1.12-8000- 23542300x8000000000000000280272Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:25.517{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1588C71EBF9F6B2F199488679ECBC2B5,SHA256=6236DC7955A5B8F953951352D98C3CE63948447CD9F32B49EBADDCB2423E3A69,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053597Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:25.185{53069400-D97D-62DF-1C00-000000007002}1896NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0923b0b66bc46ec04\channels\health\surveyor-20220726120934-111MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053596Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:25.074{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5FFBB54273465990D27A97DC93A0447,SHA256=66621650C4B2D102067B74986EA458857C7D1A5206D1B0060D33370E914247A0,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000053599Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:25.099{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal51045-false10.0.1.12-8000- 23542300x800000000000000053598Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:26.168{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06445F5579D348CBEB8BB7B86C84E5F6,SHA256=100E26EAE9AB540F1E649B668D9743046DAE7A37DA3D8E80A80758F350806E62,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000280273Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:26.569{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6ECB54D83CDEF881EE7247359D10474F,SHA256=8B6770857AFBBB342CF3D54E6503B8F204F4D4EEDC788DF9800DCDB12F2B2165,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000280274Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:27.615{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B0F20D6CD6D2318523C45C04B6235F8,SHA256=CF9FB75B17F553645D15AAA420DFB6EDAD359331B8E178A7EABB0D0874A9AA00,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053600Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:27.262{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32E399EE9BA6C5868CCD02A7CEA3FC8F,SHA256=BDCD290F9EAF5979CDA2F2558E7236FCB094F93B8186064EE3D535A3B4E0B59D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000280275Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:28.748{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D609C1B33BC91298433F9AE3A5295F8,SHA256=1CC07FE229C430A7015087C75B1B500E426A1B76D440290F7C3B308AC0034E9E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053601Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:28.356{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6A30F66F67426C131538BF49DA387BC,SHA256=85A810643FB54E6FB65B735858108B4078C52CCB1953ABE33145D1FF693E5F3B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000280284Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:29.967{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280283Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:29.967{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280282Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:29.914{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280281Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:29.914{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000280280Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:29.899{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF1642976E8E4230BE8FECBEC469F3E7,SHA256=E9F30631AC0DF66619B0B1C4F275DF7DF80365462F0B208A97E66CC44B010239,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000280279Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:29.799{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280278Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:29.799{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000053602Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:29.449{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ACB8F0F8B3B30D86447C3916113EE577,SHA256=79C90ED59392F848BF2B6E21F59EB670AA72000D80FE9E295EE19130349E4DF5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000280277Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:29.384{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280276Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:29.384{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000280286Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:30.868{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8BC9F71246BE1534CB3131C390A28C3F,SHA256=E37A1EC87322468E85CFA6D5B84C2EC02222759CD5C763E9B92EBD1ACFDDBB4F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053603Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:30.543{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3EAC6667325A675CC9A3228BB1316557,SHA256=F33148104B618E86D9321A12B85AC8BB320F027435D3C5C292EF3842FFBECE13,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000280285Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:27.159{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local64979-false10.0.1.12-8000- 354300x800000000000000053605Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:30.161{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal51046-false10.0.1.12-8000- 23542300x800000000000000053604Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:31.637{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82D8A2DED8B3EB74BB30837FFF75D390,SHA256=7DBC727DB103CA44EE88808596076DC495BD3E4315E9B7BC6C46C500047B9520,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000280295Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:31.530{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-DA3F-62DF-B800-000000006F02}4908C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280294Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:31.530{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-DA3F-62DF-B800-000000006F02}4908C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280293Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:31.530{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-DA3F-62DF-B800-000000006F02}4908C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280292Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:31.530{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-DA3F-62DF-B800-000000006F02}4908C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280291Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:31.530{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DA3F-62DF-B800-000000006F02}4908C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280290Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:31.530{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DA3F-62DF-B800-000000006F02}4908C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280289Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:31.515{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DA3F-62DF-B800-000000006F02}4908C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280288Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:31.515{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DA3F-62DF-B800-000000006F02}4908C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000280287Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:31.184{F81F30E6-D98A-62DF-2E00-000000006F02}2780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=6F68DD26DAD128BD9594E48CA94920A0,SHA256=CF08055AA25B99BE244EF7D4918A5BAACAA53F1CF0D1127885432E4BA7AC777C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053606Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:32.731{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77A8ED26A8DA638E5C34E824E49D9F36,SHA256=467E7E46B9A406D00B9045E65C5A36FAC911F49C2E91E8D2982F2BEDF391ECDC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000280313Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:32.867{F81F30E6-D98B-62DF-3600-000000006F02}31323152C:\Windows\system32\conhost.exe{F81F30E6-F434-62DF-4205-000000006F02}11128C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280312Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:32.867{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280311Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:32.867{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280310Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:32.867{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280309Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:32.867{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280308Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:32.867{F81F30E6-D97A-62DF-0500-000000006F02}412428C:\Windows\system32\csrss.exe{F81F30E6-F434-62DF-4205-000000006F02}11128C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000280307Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:32.867{F81F30E6-D98A-62DF-2E00-000000006F02}27803956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F81F30E6-F434-62DF-4205-000000006F02}11128C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000280306Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:32.868{F81F30E6-F434-62DF-4205-000000006F02}11128C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F81F30E6-D97A-62DF-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000280305Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:32.399{F81F30E6-F434-62DF-4105-000000006F02}1109611100C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280304Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:32.183{F81F30E6-D98B-62DF-3600-000000006F02}31323152C:\Windows\system32\conhost.exe{F81F30E6-F434-62DF-4105-000000006F02}11096C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280303Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:32.183{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280302Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:32.183{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280301Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:32.183{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280300Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:32.183{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280299Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:32.183{F81F30E6-D97A-62DF-0500-000000006F02}41292C:\Windows\system32\csrss.exe{F81F30E6-F434-62DF-4105-000000006F02}11096C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000280298Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:32.183{F81F30E6-D98A-62DF-2E00-000000006F02}27803956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F81F30E6-F434-62DF-4105-000000006F02}11096C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000280297Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:32.184{F81F30E6-F434-62DF-4105-000000006F02}11096C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{F81F30E6-D97A-62DF-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000280296Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:32.030{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51D0A80D4E6282DB03EEE196DAF0A0CC,SHA256=2063512FE810456126ACC5014897CF4C6FE6FF251A753286CD39BBD6F0160AB6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053607Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:33.824{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E2EFBF8A7272A2B6DE49C15854C81F5,SHA256=46B8900EC9B1A67C9ED8C17B84935D3971E0B343F19FBA86EDFAB5D1EE55EA4B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000280323Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:33.533{F81F30E6-D98B-62DF-3600-000000006F02}31323152C:\Windows\system32\conhost.exe{F81F30E6-F435-62DF-4305-000000006F02}11164C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280322Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:33.533{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280321Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:33.533{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280320Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:33.533{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280319Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:33.533{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280318Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:33.533{F81F30E6-D97A-62DF-0500-000000006F02}41292C:\Windows\system32\csrss.exe{F81F30E6-F435-62DF-4305-000000006F02}11164C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000280317Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:33.533{F81F30E6-D98A-62DF-2E00-000000006F02}27803956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F81F30E6-F435-62DF-4305-000000006F02}11164C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000280316Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:33.533{F81F30E6-F435-62DF-4305-000000006F02}11164C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F81F30E6-D97A-62DF-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000280315Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:33.247{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=904C169C0A58E2B15FEC6A7DC69D0732,SHA256=1D308888D3E965909460DB11FF294AD0CFBFBF9324C01CFB560D7568BBCBB541,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000280314Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:33.167{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15F2A4450885F3590AC947940FD83457,SHA256=A25F7BC2BC6D8BA0F64C71D723ADEE886B671D7CDEB07D2A607C3553D4AEC6BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053609Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:34.918{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B73B2D73831EC187C26492DF0E632BB,SHA256=0CFB462783B0044241DB03D98020487669E751092678516608EA74404E8A69E4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000280351Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:34.929{F81F30E6-F436-62DF-4505-000000006F02}1123211236C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000280350Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:34.813{F81F30E6-D97C-62DF-1000-000000006F02}448NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=A7688DAE63350E888AA75AA396F8591E,SHA256=F0227FE9144B930305997EF6D5C25A898E92FB1232A274A801DCA663683C8C97,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000280349Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:34.782{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280348Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:34.782{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280347Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:34.782{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280346Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:34.782{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280345Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:34.766{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280344Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:34.766{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280343Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:34.766{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280342Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:34.766{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280341Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:34.713{F81F30E6-D98B-62DF-3600-000000006F02}31323152C:\Windows\system32\conhost.exe{F81F30E6-F436-62DF-4505-000000006F02}11232C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280340Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:34.713{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280339Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:34.713{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280338Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:34.713{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280337Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:34.713{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280336Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:34.713{F81F30E6-D97A-62DF-0500-000000006F02}41292C:\Windows\system32\csrss.exe{F81F30E6-F436-62DF-4505-000000006F02}11232C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000280335Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:34.713{F81F30E6-D98A-62DF-2E00-000000006F02}27803956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F81F30E6-F436-62DF-4505-000000006F02}11232C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000280334Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:34.714{F81F30E6-F436-62DF-4505-000000006F02}11232C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F81F30E6-D97A-62DF-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000280333Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:34.451{F81F30E6-F436-62DF-4405-000000006F02}1119211196C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000280332Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:34.297{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E4604609B6E8E75EC6074B43D5AB138,SHA256=4E8786EE96966C963B603CDEEB95DE0974E1E5D50C56C40F7E111BB45BA8D0D0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000280331Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:34.213{F81F30E6-D98B-62DF-3600-000000006F02}31323152C:\Windows\system32\conhost.exe{F81F30E6-F436-62DF-4405-000000006F02}11192C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280330Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:34.213{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280329Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:34.213{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280328Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:34.213{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280327Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:34.213{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280326Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:34.213{F81F30E6-D97A-62DF-0500-000000006F02}412540C:\Windows\system32\csrss.exe{F81F30E6-F436-62DF-4405-000000006F02}11192C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000280325Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:34.213{F81F30E6-D98A-62DF-2E00-000000006F02}27803956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F81F30E6-F436-62DF-4405-000000006F02}11192C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000280324Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:34.214{F81F30E6-F436-62DF-4405-000000006F02}11192C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F81F30E6-D97A-62DF-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000053608Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:34.043{53069400-D97D-62DF-1100-000000007002}980NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=11A7F8A5021ACE77F4D9709E240BC903,SHA256=6368523C46CEE0E09F05FA6139DB38F621FAA5EB551A64151EAA6ED355D555DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000280362Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:35.781{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF4AE24674ACAF39FFDE002929F721CA,SHA256=DEFA4649155E657F5E672F5B1E5F4835BAB677B08E9680D9CDEA70C4FED09C32,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000280361Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:35.597{F81F30E6-F437-62DF-4605-000000006F02}1034010400C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000280360Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:33.110{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local64980-false10.0.1.12-8000- 10341000x8000000000000000280359Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:35.397{F81F30E6-D98B-62DF-3600-000000006F02}31323152C:\Windows\system32\conhost.exe{F81F30E6-F437-62DF-4605-000000006F02}10340C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280358Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:35.397{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280357Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:35.397{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280356Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:35.397{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280355Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:35.397{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280354Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:35.397{F81F30E6-D97A-62DF-0500-000000006F02}412428C:\Windows\system32\csrss.exe{F81F30E6-F437-62DF-4605-000000006F02}10340C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000280353Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:35.397{F81F30E6-D98A-62DF-2E00-000000006F02}27803956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F81F30E6-F437-62DF-4605-000000006F02}10340C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000280352Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:35.398{F81F30E6-F437-62DF-4605-000000006F02}10340C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F81F30E6-D97A-62DF-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000280371Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:36.481{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6EFABE2B6D4D1734935829005358E563,SHA256=29F69B91B6995C7204F68C90E43E65452C059EB4A51AB7A4A06E93CE16691451,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053610Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:36.012{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69C11248E349ECB0690331CA5AAD5FD2,SHA256=B348FA0078D249FBAAB4B07C5D8419A7F0C98B435F51BDD4B39EBD202958D040,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000280370Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:36.065{F81F30E6-D98B-62DF-3600-000000006F02}31323152C:\Windows\system32\conhost.exe{F81F30E6-F438-62DF-4705-000000006F02}10536C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280369Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:36.065{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280368Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:36.065{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280367Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:36.065{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280366Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:36.065{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280365Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:36.065{F81F30E6-D97A-62DF-0500-000000006F02}412540C:\Windows\system32\csrss.exe{F81F30E6-F438-62DF-4705-000000006F02}10536C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000280364Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:36.065{F81F30E6-D98A-62DF-2E00-000000006F02}27803956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F81F30E6-F438-62DF-4705-000000006F02}10536C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000280363Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:36.066{F81F30E6-F438-62DF-4705-000000006F02}10536C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F81F30E6-D97A-62DF-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000280409Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:37.964{F81F30E6-D97C-62DF-1500-000000006F02}12282420C:\Windows\System32\svchost.exe{F81F30E6-F439-62DF-4A05-000000006F02}8176C:\Windows\system32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280408Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:37.964{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F439-62DF-4A05-000000006F02}8176C:\Windows\system32\notepad.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280407Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:37.932{F81F30E6-D9BA-62DF-8100-000000006F02}38884056C:\Windows\system32\csrss.exe{F81F30E6-F439-62DF-4A05-000000006F02}8176C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000280406Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:37.932{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280405Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:37.932{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280404Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:37.932{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280403Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:37.932{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280402Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:37.932{F81F30E6-F439-62DF-4805-000000006F02}43204120C:\Windows\system32\cmd.exe{F81F30E6-F439-62DF-4A05-000000006F02}8176C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8564|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000280401Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:37.939{F81F30E6-F439-62DF-4A05-000000006F02}8176C:\Windows\System32\notepad.exe10.0.14393.4169 (rs1_release.210107-1130)NotepadMicrosoft® Windows® Operating SystemMicrosoft CorporationNOTEPAD.EXEnotepad.exe C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=BA78FCF8CA9D806C6C047357E31748DE,SHA256=34A07759492E31AEC2A009505FE8DFB50242375C4308AD4657B2872F4F75A077,IMPHASH=968239BE2020F1C0DAFFDCDBD49E9C82{F81F30E6-F439-62DF-4805-000000006F02}4320C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" " 10341000x8000000000000000280400Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:37.932{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F439-62DF-4A05-000000006F02}8176C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280399Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:37.895{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F439-62DF-4805-000000006F02}4320C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280398Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:37.895{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F439-62DF-4805-000000006F02}4320C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280397Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:37.895{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F439-62DF-4805-000000006F02}4320C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280396Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:37.895{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F439-62DF-4905-000000006F02}6300C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280395Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:37.895{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F439-62DF-4905-000000006F02}6300C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280394Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:37.880{F81F30E6-D9BD-62DF-9000-000000006F02}46887284C:\Windows\Explorer.EXE{F81F30E6-F439-62DF-4805-000000006F02}4320C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280393Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:37.880{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-F439-62DF-4805-000000006F02}4320C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280392Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:37.880{F81F30E6-D9BD-62DF-9000-000000006F02}46887284C:\Windows\Explorer.EXE{F81F30E6-F439-62DF-4805-000000006F02}4320C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280391Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:37.880{F81F30E6-D9BD-62DF-9000-000000006F02}46887284C:\Windows\Explorer.EXE{F81F30E6-F439-62DF-4805-000000006F02}4320C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280390Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:37.880{F81F30E6-D9BD-62DF-9000-000000006F02}46887284C:\Windows\Explorer.EXE{F81F30E6-F439-62DF-4805-000000006F02}4320C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280389Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:37.880{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F439-62DF-4905-000000006F02}6300C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280388Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:37.880{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F439-62DF-4905-000000006F02}6300C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280387Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:37.880{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F439-62DF-4905-000000006F02}6300C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280386Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:37.880{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F439-62DF-4905-000000006F02}6300C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280385Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:37.864{F81F30E6-D97C-62DF-1500-000000006F02}12282420C:\Windows\System32\svchost.exe{F81F30E6-F439-62DF-4905-000000006F02}6300C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280384Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:37.864{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F439-62DF-4905-000000006F02}6300C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280383Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:37.864{F81F30E6-F439-62DF-4905-000000006F02}63004312C:\Windows\system32\conhost.exe{F81F30E6-F439-62DF-4805-000000006F02}4320C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280382Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:37.849{F81F30E6-D9BA-62DF-8100-000000006F02}38884516C:\Windows\system32\csrss.exe{F81F30E6-F439-62DF-4905-000000006F02}6300C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000280381Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:37.849{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F439-62DF-4905-000000006F02}6300C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280380Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:37.849{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280379Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:37.849{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280378Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:37.849{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280377Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:37.849{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280376Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:37.849{F81F30E6-D9BA-62DF-8100-000000006F02}38884056C:\Windows\system32\csrss.exe{F81F30E6-F439-62DF-4805-000000006F02}4320C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000280375Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:37.849{F81F30E6-F163-62DF-1F04-000000006F02}226411028C:\Temp\dcrat.exe{F81F30E6-F439-62DF-4805-000000006F02}4320C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\System32\windows.storage.dll+16e7eb|C:\Windows\System32\windows.storage.dll+16e501|C:\Windows\System32\windows.storage.dll+16e14e|C:\Windows\System32\windows.storage.dll+16f3f0|C:\Windows\System32\windows.storage.dll+16de9e|C:\Windows\System32\windows.storage.dll+fce6d|C:\Windows\System32\windows.storage.dll+fd5ac|C:\Windows\System32\windows.storage.dll+fc910|C:\Windows\System32\shell32.dll+49cdf|C:\Windows\System32\shell32.dll+49b6c|C:\Windows\System32\shell32.dll+498bc|C:\Windows\System32\shell32.dll+10d2c7|C:\Windows\System32\shell32.dll+10d225|UNKNOWN(00007FF984B29B5F) 154100x8000000000000000280374Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:37.854{F81F30E6-F439-62DF-4805-000000006F02}4320C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" "C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe"C:\Temp\dcrat.exe" 10341000x8000000000000000280373Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:37.849{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F439-62DF-4805-000000006F02}4320C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000280372Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:37.512{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D83454B68B6B667E342ED360650849F,SHA256=B482CDBF54E3D5F9BD28C947FD6A387FEA4F916EE7564C0A9D6A62E5B7DF61C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053612Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:37.106{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E071D12A1C213D9BC4F94563896364C2,SHA256=4F548D61E171AC9176C15E2F3508408DB869E3244C1ABE7F53D2BD0D9721E108,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000053611Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:36.114{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal51047-false10.0.1.12-8000- 23542300x8000000000000000280427Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:38.927{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EFE18485DFF5ED34C2DA1C9ADFAF5F8F,SHA256=B9BD94FEA5FA0C224BF7CB349D9D1CD46A1F2C5E0F18F21C8E4C9BC0462DD116,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000280426Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:38.895{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1FDB42E56DE5AAE7660E9E109ACC92AA,SHA256=B7AE3D79C4515D0AE5182F5317B22359A391C4CD7DD62B38751DBD6694FCF675,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053613Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:38.199{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92D22C62AA80FEF34BAD516E6905B107,SHA256=F2F34916A383CDA99C0245A7205FCE5F957D32C2B3E3857B1827C682A35D3D7A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000280425Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:38.429{F81F30E6-D98A-62DF-2900-000000006F02}2592NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f0cc84e036a5373b\channels\health\respondent-20220726120948-110MD5=369DD308E953FB115558C25A87FA7436,SHA256=F8D888C61BEF90997E9DA9024DED7AC04FA2757575784335A529296D09245F18,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000280424Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:38.048{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F439-62DF-4A05-000000006F02}8176C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280423Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:38.047{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F439-62DF-4A05-000000006F02}8176C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280422Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:38.047{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F439-62DF-4A05-000000006F02}8176C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280421Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:38.027{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F439-62DF-4A05-000000006F02}8176C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280420Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:38.027{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F439-62DF-4A05-000000006F02}8176C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280419Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:38.027{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-F439-62DF-4A05-000000006F02}8176C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280418Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:38.011{F81F30E6-D9BD-62DF-9000-000000006F02}46887284C:\Windows\Explorer.EXE{F81F30E6-F439-62DF-4A05-000000006F02}8176C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280417Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:38.011{F81F30E6-D9BD-62DF-9000-000000006F02}46887284C:\Windows\Explorer.EXE{F81F30E6-F439-62DF-4A05-000000006F02}8176C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280416Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:38.011{F81F30E6-D9BD-62DF-9000-000000006F02}46887284C:\Windows\Explorer.EXE{F81F30E6-F439-62DF-4A05-000000006F02}8176C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280415Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:38.011{F81F30E6-D9BD-62DF-9000-000000006F02}46887284C:\Windows\Explorer.EXE{F81F30E6-F439-62DF-4A05-000000006F02}8176C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280414Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:38.011{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F439-62DF-4A05-000000006F02}8176C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280413Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:38.011{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F439-62DF-4A05-000000006F02}8176C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280412Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:38.011{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F439-62DF-4A05-000000006F02}8176C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280411Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:38.011{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F439-62DF-4A05-000000006F02}8176C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280410Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:37.995{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-F439-62DF-4A05-000000006F02}8176C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000053614Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:39.293{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D238ABD651D8837DCE342615FC7F19C1,SHA256=C2EDDE94B9E628260575012C6B3DD07200502BC1268E8FAC3CD98572427E68CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000280436Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:39.446{F81F30E6-D98A-62DF-2900-000000006F02}2592NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f0cc84e036a5373b\channels\health\surveyor-20220726120946-111MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000280435Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:39.364{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280434Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:39.364{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280433Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:39.364{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280432Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:39.364{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280431Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:39.348{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280430Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:39.348{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280429Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:39.348{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280428Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:39.348{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000053615Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:40.387{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C5FE40EBA7648901E39670F5B7465C3,SHA256=9920E3041F883EB825C5BC924001541BB02DF3A4D1E249CCD946202D6841592B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000280437Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:40.025{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F05EF13DC49E41D648497BEBCA418BF,SHA256=D875482324170F25BB5D58FC5198CF571EE49AD01B246AA62258514CB994519E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053616Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:41.481{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4709477BB9FF403565EE933D1784FD5D,SHA256=18ED2EE4F0F7CA29C8D0FF03DF0C8139B56BFB36F244CE3E1DB91E6A4F96E19E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000280439Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:38.207{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local64981-false10.0.1.12-8000- 23542300x8000000000000000280438Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:41.078{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=970069AAC4AA50D81CBE24530F6E6FBF,SHA256=18B5E299C010FD72563607B4A95783B3290DD9482E587F49C63697731F69087F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053618Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:42.574{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA7BE1AE18B6BD830371804A10E6C2CC,SHA256=908D251440C780E77BF3AFFE1C847667130F63F996C626147725676D3E72BE91,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000280440Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:42.198{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2F4C4B68A9ED57649619C8D47E655B8,SHA256=A0D94E3D8BF9D47CF316B77B811A16E770D5176A5C9CC2818FB73B2BFE13964C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000053617Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:41.193{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal51048-false10.0.1.12-8000- 23542300x800000000000000053619Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:43.668{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0DF782364C1E1CFC1B0E6BA5D017AC3,SHA256=68FC567FE6BE6A21C82EDDDE6AD83F1C609D53BC37D0EB5BA16714DDCCF3E1A4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000280501Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:43.652{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F43F-62DF-4D05-000000006F02}6248C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280500Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:43.652{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F43F-62DF-4D05-000000006F02}6248C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280499Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:43.652{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F43F-62DF-4D05-000000006F02}6248C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280498Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:43.648{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F43F-62DF-4D05-000000006F02}6248C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280497Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:43.646{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F43F-62DF-4D05-000000006F02}6248C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280496Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:43.631{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-F43F-62DF-4D05-000000006F02}6248C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280495Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:43.631{F81F30E6-D9BD-62DF-9000-000000006F02}46887284C:\Windows\Explorer.EXE{F81F30E6-F43F-62DF-4D05-000000006F02}6248C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280494Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:43.631{F81F30E6-D9BD-62DF-9000-000000006F02}46887284C:\Windows\Explorer.EXE{F81F30E6-F43F-62DF-4D05-000000006F02}6248C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280493Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:43.631{F81F30E6-D9BD-62DF-9000-000000006F02}46887284C:\Windows\Explorer.EXE{F81F30E6-F43F-62DF-4D05-000000006F02}6248C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280492Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:43.631{F81F30E6-D9BD-62DF-9000-000000006F02}46887284C:\Windows\Explorer.EXE{F81F30E6-F43F-62DF-4D05-000000006F02}6248C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280491Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:43.631{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F43F-62DF-4D05-000000006F02}6248C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280490Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:43.631{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F43F-62DF-4D05-000000006F02}6248C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280489Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:43.631{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F43F-62DF-4D05-000000006F02}6248C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280488Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:43.631{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F43F-62DF-4D05-000000006F02}6248C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280487Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:43.615{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-F43F-62DF-4D05-000000006F02}6248C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280486Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:43.552{F81F30E6-D97C-62DF-1500-000000006F02}12282420C:\Windows\System32\svchost.exe{F81F30E6-F43F-62DF-4D05-000000006F02}6248C:\Windows\system32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280485Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:43.552{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F43F-62DF-4D05-000000006F02}6248C:\Windows\system32\notepad.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280484Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:43.515{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280483Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:43.515{F81F30E6-D9BA-62DF-8100-000000006F02}38882172C:\Windows\system32\csrss.exe{F81F30E6-F43F-62DF-4D05-000000006F02}6248C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000280482Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:43.515{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280481Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:43.515{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280480Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:43.515{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280479Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:43.515{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280478Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:43.499{F81F30E6-F43F-62DF-4B05-000000006F02}15601420C:\Windows\system32\cmd.exe{F81F30E6-F43F-62DF-4D05-000000006F02}6248C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8564|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000280477Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:43.514{F81F30E6-F43F-62DF-4D05-000000006F02}6248C:\Windows\System32\notepad.exe10.0.14393.4169 (rs1_release.210107-1130)NotepadMicrosoft® Windows® Operating SystemMicrosoft CorporationNOTEPAD.EXEnotepad.exe C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=BA78FCF8CA9D806C6C047357E31748DE,SHA256=34A07759492E31AEC2A009505FE8DFB50242375C4308AD4657B2872F4F75A077,IMPHASH=968239BE2020F1C0DAFFDCDBD49E9C82{F81F30E6-F43F-62DF-4B05-000000006F02}1560C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" " 10341000x8000000000000000280476Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:43.499{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F43F-62DF-4D05-000000006F02}6248C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280475Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:43.499{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280474Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:43.499{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280473Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:43.499{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280472Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:43.484{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280471Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:43.484{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280470Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:43.484{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280469Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:43.484{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280468Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:43.468{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F43F-62DF-4B05-000000006F02}1560C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280467Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:43.468{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F43F-62DF-4B05-000000006F02}1560C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280466Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:43.468{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F43F-62DF-4B05-000000006F02}1560C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280465Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:43.453{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F43F-62DF-4C05-000000006F02}6832C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280464Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:43.453{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F43F-62DF-4C05-000000006F02}6832C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280463Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:43.448{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-F43F-62DF-4B05-000000006F02}1560C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280462Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:43.448{F81F30E6-D9BD-62DF-9000-000000006F02}46887284C:\Windows\Explorer.EXE{F81F30E6-F43F-62DF-4B05-000000006F02}1560C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280461Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:43.447{F81F30E6-D9BD-62DF-9000-000000006F02}46887284C:\Windows\Explorer.EXE{F81F30E6-F43F-62DF-4B05-000000006F02}1560C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280460Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:43.447{F81F30E6-D9BD-62DF-9000-000000006F02}46887284C:\Windows\Explorer.EXE{F81F30E6-F43F-62DF-4B05-000000006F02}1560C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280459Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:43.446{F81F30E6-D9BD-62DF-9000-000000006F02}46887284C:\Windows\Explorer.EXE{F81F30E6-F43F-62DF-4B05-000000006F02}1560C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280458Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:43.431{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F43F-62DF-4C05-000000006F02}6832C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280457Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:43.431{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F43F-62DF-4C05-000000006F02}6832C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280456Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:43.431{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F43F-62DF-4C05-000000006F02}6832C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280455Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:43.431{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F43F-62DF-4C05-000000006F02}6832C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280454Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:43.415{F81F30E6-D97C-62DF-1500-000000006F02}12282420C:\Windows\System32\svchost.exe{F81F30E6-F43F-62DF-4C05-000000006F02}6832C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280453Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:43.415{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F43F-62DF-4C05-000000006F02}6832C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280452Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:43.400{F81F30E6-F43F-62DF-4C05-000000006F02}68327488C:\Windows\system32\conhost.exe{F81F30E6-F43F-62DF-4B05-000000006F02}1560C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280451Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:43.400{F81F30E6-D9BA-62DF-8100-000000006F02}38884516C:\Windows\system32\csrss.exe{F81F30E6-F43F-62DF-4C05-000000006F02}6832C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000280450Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:43.384{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F43F-62DF-4C05-000000006F02}6832C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280449Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:43.384{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280448Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:43.384{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280447Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:43.384{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280446Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:43.384{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280445Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:43.384{F81F30E6-D9BA-62DF-8100-000000006F02}38884056C:\Windows\system32\csrss.exe{F81F30E6-F43F-62DF-4B05-000000006F02}1560C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000280444Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:43.384{F81F30E6-F163-62DF-1F04-000000006F02}22647536C:\Temp\dcrat.exe{F81F30E6-F43F-62DF-4B05-000000006F02}1560C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\System32\windows.storage.dll+16e7eb|C:\Windows\System32\windows.storage.dll+16e501|C:\Windows\System32\windows.storage.dll+16e14e|C:\Windows\System32\windows.storage.dll+16f3f0|C:\Windows\System32\windows.storage.dll+16de9e|C:\Windows\System32\windows.storage.dll+fce6d|C:\Windows\System32\windows.storage.dll+fd5ac|C:\Windows\System32\windows.storage.dll+fc910|C:\Windows\System32\shell32.dll+49cdf|C:\Windows\System32\shell32.dll+49b6c|C:\Windows\System32\shell32.dll+498bc|C:\Windows\System32\shell32.dll+10d2c7|C:\Windows\System32\shell32.dll+10d225|UNKNOWN(00007FF984B29B5F) 154100x8000000000000000280443Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:43.390{F81F30E6-F43F-62DF-4B05-000000006F02}1560C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" "C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe"C:\Temp\dcrat.exe" 10341000x8000000000000000280442Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:43.384{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F43F-62DF-4B05-000000006F02}1560C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000280441Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:43.284{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1BD1F3CD0AFB25CE2C5AFFD7834F8F4,SHA256=0E77374D06CDD31595DE45B01CB6CD379873384A83BB79E1679349F771228049,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053620Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:44.762{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=827AEA77E0BC12632552AF2E65CE3EC2,SHA256=F4720C9551149BA2127DBEE3C21FE47BAF8F6D6799ED35EC60DCEBDB08141EE2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000280512Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:44.483{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=82AD171F300020435910A6016F2AD91A,SHA256=AFDB855407E7455674CD9740D75882166A1313427297E8104DB8C33454007A5C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000280511Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:44.430{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280510Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:44.430{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280509Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:44.430{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280508Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:44.430{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280507Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:44.430{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280506Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:44.430{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280505Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:44.430{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280504Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:44.430{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000280503Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:44.315{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8C3D3FED6A61B6FA8B04DA02E0A4D14,SHA256=83EDC43C0371FF20E33021D4C5C8F6D73C819D5E8A0F6F518B6F5449DAB000CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000280502Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:44.015{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD253240D7C1394C0ADEBB5C805B4801,SHA256=91EE35ABA073D033969E418532C7DC4CAFAB3E6A8A2F4304984F6CD429B5303F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053621Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:45.856{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E872E8E0EBB5498EC5133FE41B7ACCE2,SHA256=D0601F9F10D030B1782FD501A16E18A28D5FAB2E1B5E782F17DA1DEF069EF5DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000280513Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:45.366{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=218E5F9D0B69706642FCE5E78F0C2D5B,SHA256=B5EDB3A322860A8C4D747194F95FA61A0E9B28F3D43D7B521FCA08D2533C2690,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053623Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:46.949{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=552185B37A8C15D09E226BEB6B3B26A8,SHA256=F43C82B15D781CE7720C328FFA3BA57B4D23D610BBA7E7D32D57349063C57446,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000280573Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:46.846{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7971F948AE6F4830F429C5A32D9B24B,SHA256=ADA6702D346F0D93ED38035FFE4ACDB7BE4676595B9F8B285B73F406499C75F3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000280572Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:46.796{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F442-62DF-5005-000000006F02}10584C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280571Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:46.796{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F442-62DF-5005-000000006F02}10584C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280570Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:46.796{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F442-62DF-5005-000000006F02}10584C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280569Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:46.796{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F442-62DF-5005-000000006F02}10584C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280568Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:46.796{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F442-62DF-5005-000000006F02}10584C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000053622Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:46.043{53069400-D97D-62DF-1E00-000000007002}1940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=179B82772CA5CC0B7A1E30B10EC3DA68,SHA256=BB39CA45713EEF29F8964A50A9025571F90083A2F6169622A7CAAB4EAC5409CB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000280567Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:46.796{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-F442-62DF-5005-000000006F02}10584C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280566Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:46.796{F81F30E6-D9BD-62DF-9000-000000006F02}46887284C:\Windows\Explorer.EXE{F81F30E6-F442-62DF-5005-000000006F02}10584C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280565Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:46.796{F81F30E6-D9BD-62DF-9000-000000006F02}46887284C:\Windows\Explorer.EXE{F81F30E6-F442-62DF-5005-000000006F02}10584C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280564Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:46.796{F81F30E6-D9BD-62DF-9000-000000006F02}46887284C:\Windows\Explorer.EXE{F81F30E6-F442-62DF-5005-000000006F02}10584C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280563Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:46.796{F81F30E6-D9BD-62DF-9000-000000006F02}46887284C:\Windows\Explorer.EXE{F81F30E6-F442-62DF-5005-000000006F02}10584C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280562Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:46.796{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F442-62DF-5005-000000006F02}10584C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280561Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:46.796{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F442-62DF-5005-000000006F02}10584C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280560Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:46.796{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F442-62DF-5005-000000006F02}10584C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280559Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:46.796{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F442-62DF-5005-000000006F02}10584C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280558Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:46.765{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-F442-62DF-5005-000000006F02}10584C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280557Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:46.712{F81F30E6-D97C-62DF-1500-000000006F02}12282420C:\Windows\System32\svchost.exe{F81F30E6-F442-62DF-5005-000000006F02}10584C:\Windows\system32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280556Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:46.712{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F442-62DF-5005-000000006F02}10584C:\Windows\system32\notepad.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280555Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:46.696{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280554Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:46.696{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280553Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:46.696{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280552Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:46.696{F81F30E6-D9BA-62DF-8100-000000006F02}38882172C:\Windows\system32\csrss.exe{F81F30E6-F442-62DF-5005-000000006F02}10584C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000280551Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:46.696{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280550Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:46.696{F81F30E6-F442-62DF-4E05-000000006F02}54124424C:\Windows\system32\cmd.exe{F81F30E6-F442-62DF-5005-000000006F02}10584C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8564|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000280549Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:46.696{F81F30E6-F442-62DF-5005-000000006F02}10584C:\Windows\System32\notepad.exe10.0.14393.4169 (rs1_release.210107-1130)NotepadMicrosoft® Windows® Operating SystemMicrosoft CorporationNOTEPAD.EXEnotepad.exe C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=BA78FCF8CA9D806C6C047357E31748DE,SHA256=34A07759492E31AEC2A009505FE8DFB50242375C4308AD4657B2872F4F75A077,IMPHASH=968239BE2020F1C0DAFFDCDBD49E9C82{F81F30E6-F442-62DF-4E05-000000006F02}5412C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" " 10341000x8000000000000000280548Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:46.696{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F442-62DF-5005-000000006F02}10584C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280547Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:46.665{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280546Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:46.649{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280545Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:46.649{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280544Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:46.649{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000280543Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:44.210{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local64982-false10.0.1.12-8000- 10341000x8000000000000000280542Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:46.612{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F442-62DF-4F05-000000006F02}6932C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280541Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:46.596{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280540Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:46.596{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280539Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:46.596{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280538Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:46.596{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280537Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:46.596{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F442-62DF-4F05-000000006F02}6932C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280536Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:46.550{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-F442-62DF-4E05-000000006F02}5412C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280535Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:46.497{F81F30E6-D9BD-62DF-9000-000000006F02}46887284C:\Windows\Explorer.EXE{F81F30E6-F442-62DF-4E05-000000006F02}5412C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280534Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:46.497{F81F30E6-D9BD-62DF-9000-000000006F02}46887284C:\Windows\Explorer.EXE{F81F30E6-F442-62DF-4E05-000000006F02}5412C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280533Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:46.497{F81F30E6-D9BD-62DF-9000-000000006F02}46887284C:\Windows\Explorer.EXE{F81F30E6-F442-62DF-4E05-000000006F02}5412C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280532Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:46.481{F81F30E6-D9BD-62DF-9000-000000006F02}46887284C:\Windows\Explorer.EXE{F81F30E6-F442-62DF-4E05-000000006F02}5412C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280531Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:46.481{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F442-62DF-4F05-000000006F02}6932C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280530Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:46.481{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F442-62DF-4F05-000000006F02}6932C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280529Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:46.481{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F442-62DF-4F05-000000006F02}6932C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280528Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:46.481{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F442-62DF-4F05-000000006F02}6932C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000280527Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:46.481{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B7977E8CD26E82BFA48B3762F8C6AF9,SHA256=6DA26115FB62C2D2D99C6270280357A1264AD1D5EFD4E34B947D5C0C90F83674,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000280526Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:46.428{F81F30E6-D97C-62DF-1500-000000006F02}12282420C:\Windows\System32\svchost.exe{F81F30E6-F442-62DF-4F05-000000006F02}6932C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280525Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:46.428{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F442-62DF-4F05-000000006F02}6932C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280524Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:46.412{F81F30E6-F442-62DF-4F05-000000006F02}69324188C:\Windows\system32\conhost.exe{F81F30E6-F442-62DF-4E05-000000006F02}5412C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280523Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:46.397{F81F30E6-D9BA-62DF-8100-000000006F02}38884516C:\Windows\system32\csrss.exe{F81F30E6-F442-62DF-4F05-000000006F02}6932C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000280522Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:46.397{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F442-62DF-4F05-000000006F02}6932C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280521Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:46.397{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280520Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:46.397{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280519Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:46.397{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280518Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:46.397{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280517Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:46.397{F81F30E6-D9BA-62DF-8100-000000006F02}38882172C:\Windows\system32\csrss.exe{F81F30E6-F442-62DF-4E05-000000006F02}5412C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000280516Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:46.397{F81F30E6-F163-62DF-1F04-000000006F02}22646652C:\Temp\dcrat.exe{F81F30E6-F442-62DF-4E05-000000006F02}5412C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\System32\windows.storage.dll+16e7eb|C:\Windows\System32\windows.storage.dll+16e501|C:\Windows\System32\windows.storage.dll+16e14e|C:\Windows\System32\windows.storage.dll+16f3f0|C:\Windows\System32\windows.storage.dll+16de9e|C:\Windows\System32\windows.storage.dll+fce6d|C:\Windows\System32\windows.storage.dll+fd5ac|C:\Windows\System32\windows.storage.dll+fc910|C:\Windows\System32\shell32.dll+49cdf|C:\Windows\System32\shell32.dll+49b6c|C:\Windows\System32\shell32.dll+498bc|C:\Windows\System32\shell32.dll+10d2c7|C:\Windows\System32\shell32.dll+10d225|UNKNOWN(00007FF984B29B5F) 10341000x8000000000000000280515Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:46.397{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F442-62DF-4E05-000000006F02}5412C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000280514Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:46.396{F81F30E6-F442-62DF-4E05-000000006F02}5412C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" "C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe"C:\Temp\dcrat.exe" 10341000x8000000000000000280582Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:47.696{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280581Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:47.696{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280580Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:47.696{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280579Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:47.696{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280578Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:47.696{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280577Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:47.696{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280576Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:47.696{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280575Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:47.696{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000280574Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:47.512{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C628D191CDC311BC4D9423DAEB1C923,SHA256=613B9BA62B216FCBD89241CA1AD4081CF7F27CD2A0343D1A00D9E1B44F79991B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053625Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:47.793{53069400-D97D-62DF-1E00-000000007002}1940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=9270D7B057A19C24856B5947573507EE,SHA256=9FE6EC0E4F9F2B1FCD36C019C92015F74C4AA60CB8FC0CD48418417F128F643D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000053624Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:46.099{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal51049-false10.0.1.12-8089- 23542300x8000000000000000280583Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:48.549{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1580F6DD3120205F1946C2A8B0D843D,SHA256=920C78ADF1E7C13589BA46AE1AF0194EA029D0072CB4481DBCC229B15C30A309,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000053627Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:47.208{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal51050-false10.0.1.12-8000- 23542300x800000000000000053626Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:48.043{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E08F3E83211E0F82B9BB794BA2B79B71,SHA256=F54E7CE80A80860E9B21416273160A6154FD0D19B98E10D9FA49784851F1EDD1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000280585Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:49.665{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=384B9215FBD4E8D14DBC6BD5454B82A5,SHA256=98F1CAF18035870CF43E2A01034BCA8AB0622671E4E4CA4FE0369E41DE205228,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053628Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:49.137{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C72CA996C09AB9EDC130F695E42B6BD,SHA256=BCD23D2732776C8A14C0570F7B541EAFF4DD055FB6A4CE32EFC45FA97455A7B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000280584Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:49.048{F81F30E6-D98A-62DF-2E00-000000006F02}2780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=375770933B088FA1013E9C17F7ACFA9C,SHA256=12DC730ED0C3CEF15E2072F184E79ED116E6C7FEA32581084F03B1ADA228E22B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000280587Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:50.711{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC0DD578C897D9F41B4642AE07C04731,SHA256=FD2D94207A27C4E7AA1507EB21D92F5A145CDBEFFFB768B2E39B1E8E1D8FF100,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053629Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:50.231{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C149BF9A5DD4DE6054F00EF4EE376FB7,SHA256=079647EDD29EF34250685D53AFFF82D359E05F8E73A736FCAC2C0A0F59F4841C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000280586Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:48.041{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local64983-false10.0.1.12-8089- 23542300x8000000000000000280589Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:51.763{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=263F4B11ABF233F91AF57F86F0C404F9,SHA256=C8E49C98C3A20068DF3AF519AF8831195F4367C98E13F02C1E047F430D9E5BC9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053630Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:51.324{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C964137F7223F0B0381B689109E576E3,SHA256=624DB5CC0B6A194E89CCF0F5A3BB6FDBFD5CA105253A537E0737DD8C7BB6D8E2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000280588Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:49.240{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local64984-false10.0.1.12-8000- 23542300x8000000000000000280590Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:52.796{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FDA29C1EA351E6B3CF589F0679881A8A,SHA256=D491421F33605D6AE10A827CE91A3F25CBD7E1D7760D579CA50FE828D7F29689,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053631Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:52.418{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=459AAEDDD267256E1EFCB69E9CC71399,SHA256=BBE07886B92F4336E5B9C94B24BB43AB302CDF4D24E24C36FAA259E53C2C7D04,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000280591Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:53.828{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CEAE76579B65C30A15E309E34FD8BB46,SHA256=2342FB8EF803540B04E3A994994E5B6C81343CE215DF16A63D4AAB2C24B4D9E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053632Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:53.512{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A08B3AB73C08F860E5E6D54C1567D58,SHA256=7C514133E3FDA202B54A3207772B648D6562F217F673726016A1A8DAA094CE9E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053633Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:54.606{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B8A01A8F744A7EAC6D35C20AE2789BC,SHA256=B63FED7BC9F64DA67D73AF3F0E20E80234CE510FA4F2F489399FEF5A23FC3898,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000280599Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:54.250{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-DA3F-62DF-B800-000000006F02}4908C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280598Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:54.250{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-DA3F-62DF-B800-000000006F02}4908C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280597Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:54.250{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-DA3F-62DF-B800-000000006F02}4908C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280596Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:54.250{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-DA3F-62DF-B800-000000006F02}4908C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280595Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:54.247{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DA3F-62DF-B800-000000006F02}4908C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280594Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:54.247{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DA3F-62DF-B800-000000006F02}4908C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280593Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:54.247{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DA3F-62DF-B800-000000006F02}4908C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280592Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:54.247{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DA3F-62DF-B800-000000006F02}4908C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000053635Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:53.239{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal51051-false10.0.1.12-8000- 23542300x800000000000000053634Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:55.699{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0FA12CC3776062F2F1D2F648A292515A,SHA256=CE544C994FF90176714D522695EFD38F0BD8181B8B5797370B14A78A7AF9F5F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000280600Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:54.996{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FACDD547768ED3461FCCBCD90BC99489,SHA256=EB800843133707DE69AA6D900F6F1AC26052692E0BA6DBE050A8816A52CC244E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053636Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:56.793{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0AD866E15044225EAB32E427A307518F,SHA256=87E992313A06DB045C6922E577FE224F30F9460C406880BB822C43C3714A8F80,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000280604Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:56.448{F81F30E6-D9BD-62DF-9000-000000006F02}46884812C:\Windows\Explorer.EXE{F81F30E6-DAB4-62DF-BF00-000000006F02}2464C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+cf100|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9824|UNKNOWN(FFFFF80163E5BCD8)|UNKNOWN(FFFFF2A666167E08)|UNKNOWN(FFFFF2A666167F87)|UNKNOWN(FFFFF2A666162611)|UNKNOWN(FFFFF2A666163FDA)|UNKNOWN(FFFFF2A666162296)|UNKNOWN(FFFFF80163B71503)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+d296b|C:\Windows\System32\SHELL32.dll+11971a|C:\Windows\System32\SHCORE.dll+33fbd 10341000x8000000000000000280603Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:56.448{F81F30E6-D9BD-62DF-9000-000000006F02}46884812C:\Windows\Explorer.EXE{F81F30E6-DAB4-62DF-BF00-000000006F02}2464C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0f5|C:\Windows\System32\SHELL32.dll+cebe1|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9824|UNKNOWN(FFFFF80163E5BCD8)|UNKNOWN(FFFFF2A666167E08)|UNKNOWN(FFFFF2A666167F87)|UNKNOWN(FFFFF2A666162611)|UNKNOWN(FFFFF2A666163FDA)|UNKNOWN(FFFFF2A666162296)|UNKNOWN(FFFFF80163B71503)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+d296b|C:\Windows\System32\SHELL32.dll+11971a|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000280602Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:56.448{F81F30E6-DAB4-62DF-BF00-000000006F02}2464ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RF68cccb.TMPMD5=916C2D93B58C5CBAC8AC3098A059BFC5,SHA256=55953AB8F4BC753693EBC3ACF5A7C00D704055829032829763C3617710DD9C9E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000280601Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:56.043{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65AC12F3CF32951BC48BC3FB3E2707D2,SHA256=AB270D40893315082E74B627488D5DD281A86954096B9F86B201D797798C5598,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053637Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:57.887{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC3495B1DECB85DF8F43A0668EA67F0F,SHA256=C3B32A8FD2F6F35FE3474F275D77CD933B6D5EE15B865EB06384F689BE874FE6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000280614Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:57.825{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280613Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:57.825{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280612Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:57.825{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280611Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:57.825{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280610Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:57.825{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280609Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:57.825{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280608Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:57.825{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280607Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:57.825{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000280606Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:55.107{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local64985-false10.0.1.12-8000- 23542300x8000000000000000280605Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:57.094{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E49E1FFF23524F1F81E751DCCACA1228,SHA256=3F3E68596A310054B43DCD19354C89600CD52D748E42A0C58E39AE98D25BA47B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053638Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:58.980{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1027F296CDDE70B752CCE2F11609C24,SHA256=6F380DEC764DF8F88C892857F66F1F4C10A9D5A9C1B0382CF9715E19E3D4638D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000280615Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:58.144{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=594FC098A790AB4700249503E4CB8A16,SHA256=9B4B88B862AA7BD931975E20E365465E94F9C5490012D6D8DC59033DE200DDBE,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000053639Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:58.302{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal51052-false10.0.1.12-8000- 23542300x8000000000000000280616Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:59.194{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73082A49CD94FD7686821A1733F02BFB,SHA256=AA77A48BA9CDF1997076A86F8D5E383ED4ECB701B8D46949E80C4B027B72BF3F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053640Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:00.074{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ABC21621066C25429546F4EBB5C76F35,SHA256=C61163A9E78985BA2ADB5662CC1D0F67ADDCA253266B046E30BD6F2A33C8EE45,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000280617Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:00.224{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9847702E1331F041627AF6244CC814F3,SHA256=6ED7075DE1BD64A1590D8CC5D7B0D4E44CA06471FBCCECD7260195B814AAA98D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053641Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:01.168{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7CA65D44AB3A9D8F7A8590AD7402C67,SHA256=6F5CE5CCF6C5A6B8D8B38DA0E033650009AE7B244D0315873C9032C998E0D035,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000280619Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:01.476{F81F30E6-D98A-62DF-2E00-000000006F02}2780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=7B81B5A6591A864E343D987E14166D42,SHA256=D6D524C178AA9C47E3F75F0B829E76F0F0084A4D82B41FE07042068EE151D29A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000280618Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:01.261{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2EFB2292349D9C8FC9ED05D3D78A9491,SHA256=A572CDEDB4ACFB1C78580EE51B92F034D08D6ADA9D30D1126D744C310EBE507C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053642Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:02.262{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19F65D34CD134375871B2286452F5079,SHA256=114E039CF7877515FD4BAE014BF16A7DBC33667C9CBAD7916DC8CEACE761E565,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000280620Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:02.297{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EDAFEDEEBA4EC676B8C857E5C9CEBAC2,SHA256=17C9FD2AB08146CFC86C01304E3F99B4631DBD7F3EEDC212A38EDDA623BF803A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053643Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:03.355{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20BC75A1C318B5EA57FD5BE00F8EEDC2,SHA256=63DCADF8D8804CCC40833D221418645131BA85B3B8B0B3BFBB393CA21453A3D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000280623Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:03.797{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FE872C8985BF202CB1BFFAD8A81AE239,SHA256=845F1A3ED6FCB2FB6B5F2D651A65683567CA8E15FE1DCF53B6DDA965349FB504,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000280622Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:01.139{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local64986-false10.0.1.12-8000- 23542300x8000000000000000280621Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:03.328{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=659C25941DBAD4E0AD56BF1F45764507,SHA256=3607CEB578DFB6648F732E5BD39E45EA521C23AE38C0D73912B8C3B7DFD06FA2,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000053645Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:03.333{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal51053-false10.0.1.12-8000- 23542300x800000000000000053644Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:04.449{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B3428424FDDD10E88F11289F1ACE770,SHA256=261D6FB66B734251E7EBD10FB9740EE7E5C33CE46E425A1773DBFE9D8DE89434,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000280626Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:01.726{F81F30E6-D97A-62DF-0B00-000000006F02}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local64987-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local389ldap 354300x8000000000000000280625Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:01.726{F81F30E6-D98A-62DF-2600-000000006F02}2568C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local64987-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local389ldap 23542300x8000000000000000280624Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:04.381{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=186FC12FCBE3EDC67DFEA70F121C262F,SHA256=C029F6F7AA722984754940E29FC0CC13F1C521C53A346404905E1294D636E8D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053646Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:05.543{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A48786E00835FDAF4E51D8D70F96BD6,SHA256=695A6B73F96D1E43ABE0B8145EAA8B8A7D629159D65DCD454E6F41DD4E8CED4A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000280627Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:05.544{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5473CA1650776881255DC3DA3813C987,SHA256=D856464700FE0D7DC1CCE335EEEF50548B2769C17EE9B07AD028D677C725AB27,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053647Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:06.637{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A9DA5C8255F20B82F71C34BC1848A50,SHA256=0EB7CFB79F32FCB7E4F6D95CB53608D0A7AB1BEBB464DD8AD563C20B97BFE60F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000280628Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:06.594{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F3EA8C357173D9D0AB4DE4BFA8D9F10,SHA256=588019C1134ED8EBB6D11B21A393BC14CD02F3516341512981BE851DA887A049,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053648Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:07.731{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4DAF9CF1E1A1170D8C4BC5D5C24D0538,SHA256=DF4CDEE0ADCC763A2FD39672B1CB833C80184FD691398E984E42A7FBAEB2FD83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000280629Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:07.625{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BED3D8A454359C78BFFB97F09F29E334,SHA256=6398312A9B008780D6A46296970B155B9E264FD24737F2C0911B9A085BF6E51D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053649Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:08.824{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6D777945B6AC10E5CF01F34DE9C4D3E,SHA256=E37DE0F611E74A4D54F5C55CFF727E469587C6ADF208B944CA535C10FA909DFC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000280630Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:08.663{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46E5AEFFFA1B800E0903B8BAB827EDCA,SHA256=E51719D30663A75DB836F3D1749B23D7F547B21E088C8B5C93D69D878C877822,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053650Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:09.918{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E4229C15CC075D823A354617DB0B221,SHA256=A83D9307C678D4EFF43722AC9ED06AA25CAA866C46EECBC1E4A973A060AABEA1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000280634Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:07.107{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local64988-false10.0.1.12-8000- 10341000x8000000000000000280633Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:09.808{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280632Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:09.808{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000280631Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:09.708{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92BC6D052F6161BD7375E7C4561BC561,SHA256=B294825C7581B6A7712F4FF864628F57C36C281B7BDB07EA644D7B098DD6BE2B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000280635Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:10.795{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4985BB19E93254AF9207ECA408E5B27,SHA256=70CCC381841A2A58ED1A29D4D956A99907DE4980B91793B7C86394D38F03A7CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000280637Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:11.843{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4642CD6ADDBE8A88294C773D4B8A373D,SHA256=E9FC8B4E34FCD23F0B95525C86E5B7AD1B9037739751C01A6A10350AE2D0F203,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000053652Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:09.270{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal51054-false10.0.1.12-8000- 23542300x800000000000000053651Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:11.012{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9A6C7EFA85414D18BB9AF6673720964,SHA256=546E2441D583FCE5B971E44FFE4A46F7631B6904EAABFDE6FF27C0EC2AAE128B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000280636Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:11.263{F81F30E6-D97C-62DF-0D00-000000006F02}9123628C:\Windows\system32\svchost.exe{F81F30E6-D9BC-62DF-8700-000000006F02}4224C:\Windows\System32\rdpclip.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000280638Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:12.893{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B8C8FEEEDFA982C5DF88AF26501D2A3,SHA256=D0EB7FCD06A8097754ADC4EBDDB277C6E4E80F506550CC77997EC5E067774836,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000053680Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:12.887{53069400-D97E-62DF-2900-000000007002}27802800C:\Windows\system32\conhost.exe{53069400-F45C-62DF-9C03-000000007002}2364C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053679Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:12.887{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053678Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:12.887{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053677Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:12.887{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053676Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:12.887{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053675Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:12.887{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053674Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:12.887{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053673Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:12.887{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053672Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:12.887{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053671Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:12.887{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053670Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:12.887{53069400-D97C-62DF-0500-000000007002}412540C:\Windows\system32\csrss.exe{53069400-F45C-62DF-9C03-000000007002}2364C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000053669Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:12.887{53069400-D97D-62DF-1E00-000000007002}19402768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53069400-F45C-62DF-9C03-000000007002}2364C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000053668Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:12.888{53069400-F45C-62DF-9C03-000000007002}2364C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{53069400-D97C-62DF-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000053667Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:12.371{53069400-F45C-62DF-9B03-000000007002}34762368C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053666Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:12.215{53069400-D97E-62DF-2900-000000007002}27802800C:\Windows\system32\conhost.exe{53069400-F45C-62DF-9B03-000000007002}3476C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053665Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:12.215{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053664Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:12.215{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053663Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:12.215{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053662Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:12.215{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053661Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:12.215{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053660Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:12.215{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053659Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:12.215{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053658Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:12.215{53069400-D97C-62DF-0500-000000007002}412540C:\Windows\system32\csrss.exe{53069400-F45C-62DF-9B03-000000007002}3476C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000053657Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:12.215{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053656Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:12.215{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053655Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:12.215{53069400-D97D-62DF-1E00-000000007002}19402768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53069400-F45C-62DF-9B03-000000007002}3476C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000053654Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:12.216{53069400-F45C-62DF-9B03-000000007002}3476C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53069400-D97C-62DF-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000053653Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:12.105{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A003C871B331C7F933B305CC89032B3,SHA256=8BDEB2D8CAA0494210A7F98DDC8B7772D1EF87B11BED14F3B96D9C4CE4937D5B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000280639Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:13.940{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36AFDC7F2BB40DE052BED0D499DD897F,SHA256=AA3CFFBC39163EA6302AE7EC13FF73A0020777D2D07DFDB7D78D222DDF2D8163,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053696Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:13.605{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F81DF041D2C4DE1C0DF5BDAE5CE95483,SHA256=67EDED0B180A89AB979DB5051F4AF7B6F3EF8DFABF2B9ABEE28027DFDD9D2C01,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053695Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:13.605{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8306D70B435C855875577C339EF52856,SHA256=A1D49560EEB117774B53537FD22E3B9B0FD10F20C86B00BDDDA635346FF97BC7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000053694Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:13.559{53069400-D97E-62DF-2900-000000007002}27802800C:\Windows\system32\conhost.exe{53069400-F45D-62DF-9D03-000000007002}3828C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053693Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:13.559{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053692Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:13.559{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053691Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:13.559{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053690Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:13.559{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053689Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:13.559{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053688Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:13.559{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053687Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:13.559{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053686Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:13.559{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053685Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:13.559{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053684Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:13.559{53069400-D97C-62DF-0500-000000007002}412428C:\Windows\system32\csrss.exe{53069400-F45D-62DF-9D03-000000007002}3828C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000053683Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:13.559{53069400-D97D-62DF-1E00-000000007002}19402768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53069400-F45D-62DF-9D03-000000007002}3828C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000053682Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:13.559{53069400-F45D-62DF-9D03-000000007002}3828C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53069400-D97C-62DF-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000053681Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:13.059{53069400-F45C-62DF-9C03-000000007002}23641188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000280640Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:14.990{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A79DFF0971A960925777D4D1319C8B26,SHA256=B05E6B2C79E7CFB06896D87F04E07CB10A758146DF5E9D4E7D846143C834ABF0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000053725Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:14.934{53069400-F45E-62DF-9F03-000000007002}8523748C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053724Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:14.730{53069400-D97E-62DF-2900-000000007002}27802800C:\Windows\system32\conhost.exe{53069400-F45E-62DF-9F03-000000007002}852C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053723Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:14.730{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053722Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:14.730{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053721Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:14.730{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053720Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:14.730{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053719Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:14.730{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053718Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:14.730{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053717Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:14.730{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053716Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:14.730{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053715Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:14.730{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053714Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:14.730{53069400-D97C-62DF-0500-000000007002}412428C:\Windows\system32\csrss.exe{53069400-F45E-62DF-9F03-000000007002}852C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000053713Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:14.730{53069400-D97D-62DF-1E00-000000007002}19402768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53069400-F45E-62DF-9F03-000000007002}852C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000053712Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:14.733{53069400-F45E-62DF-9F03-000000007002}852C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53069400-D97C-62DF-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000053711Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:14.730{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5412460DDB5A035BDF894C7AFCADB8B8,SHA256=9578C68D7081C981C945E82B0AECF29DE5B3CF091B20BDAFF9A68B0E1B358D0F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000053710Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:14.418{53069400-F45E-62DF-9E03-000000007002}3664184C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053709Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:14.230{53069400-D97E-62DF-2900-000000007002}27802800C:\Windows\system32\conhost.exe{53069400-F45E-62DF-9E03-000000007002}3664C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053708Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:14.230{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053707Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:14.230{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053706Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:14.230{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053705Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:14.230{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053704Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:14.230{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053703Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:14.230{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053702Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:14.230{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053701Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:14.230{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053700Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:14.230{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053699Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:14.230{53069400-D97C-62DF-0500-000000007002}412428C:\Windows\system32\csrss.exe{53069400-F45E-62DF-9E03-000000007002}3664C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000053698Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:14.230{53069400-D97D-62DF-1E00-000000007002}19402768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53069400-F45E-62DF-9E03-000000007002}3664C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000053697Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:14.231{53069400-F45E-62DF-9E03-000000007002}3664C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53069400-D97C-62DF-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000053752Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:15.902{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD83C657B52258C6D13E03AC38BA8AC8,SHA256=62ED1F274062B1C8336E2AFC6A297290AD4D646CEB8771E487FFE6D17D569105,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000053751Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:15.902{53069400-D97E-62DF-2900-000000007002}27802800C:\Windows\system32\conhost.exe{53069400-F45F-62DF-A103-000000007002}3788C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053750Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:15.902{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053749Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:15.902{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053748Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:15.902{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053747Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:15.902{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053746Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:15.902{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053745Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:15.902{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053744Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:15.902{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053743Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:15.902{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053742Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:15.902{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053741Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:15.902{53069400-D97C-62DF-0500-000000007002}412428C:\Windows\system32\csrss.exe{53069400-F45F-62DF-A103-000000007002}3788C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000053740Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:15.902{53069400-D97D-62DF-1E00-000000007002}19402768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53069400-F45F-62DF-A103-000000007002}3788C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000053739Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:15.903{53069400-F45F-62DF-A103-000000007002}3788C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53069400-D97C-62DF-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000280641Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:13.088{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local64989-false10.0.1.12-8000- 10341000x800000000000000053738Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:15.402{53069400-D97E-62DF-2900-000000007002}27802800C:\Windows\system32\conhost.exe{53069400-F45F-62DF-A003-000000007002}2844C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053737Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:15.402{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053736Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:15.402{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053735Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:15.402{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053734Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:15.402{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053733Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:15.402{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053732Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:15.402{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053731Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:15.402{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053730Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:15.402{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053729Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:15.402{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053728Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:15.402{53069400-D97C-62DF-0500-000000007002}412540C:\Windows\system32\csrss.exe{53069400-F45F-62DF-A003-000000007002}2844C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000053727Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:15.402{53069400-D97D-62DF-1E00-000000007002}19402768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53069400-F45F-62DF-A003-000000007002}2844C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000053726Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:15.403{53069400-F45F-62DF-A003-000000007002}2844C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53069400-D97C-62DF-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000053753Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:16.980{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A12980E6FE408A9F2726BBCEE4849703,SHA256=8F3A33E5ED604180B2018219736A9D101BE42DA6DE37140420A598223EBD3E53,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000280664Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:16.989{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-F460-62DF-5105-000000006F02}9400C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280663Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:16.989{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F460-62DF-5105-000000006F02}9400C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280662Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:16.989{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F460-62DF-5105-000000006F02}9400C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280661Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:16.989{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F460-62DF-5105-000000006F02}9400C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280660Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:16.989{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F460-62DF-5105-000000006F02}9400C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280659Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:16.974{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F460-62DF-5205-000000006F02}9416C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280658Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:16.974{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F460-62DF-5205-000000006F02}9416C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280657Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:16.974{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F460-62DF-5205-000000006F02}9416C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280656Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:16.974{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F460-62DF-5205-000000006F02}9416C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280655Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:16.942{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F460-62DF-5205-000000006F02}9416C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280654Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:16.942{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F460-62DF-5205-000000006F02}9416C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280653Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:16.939{F81F30E6-F460-62DF-5205-000000006F02}94169488C:\Windows\system32\conhost.exe{F81F30E6-F460-62DF-5105-000000006F02}9400C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280652Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:16.921{F81F30E6-D9BA-62DF-8100-000000006F02}38884516C:\Windows\system32\csrss.exe{F81F30E6-F460-62DF-5205-000000006F02}9416C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000280651Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:16.905{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F460-62DF-5205-000000006F02}9416C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280650Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:16.905{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280649Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:16.905{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280648Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:16.905{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280647Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:16.905{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280646Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:16.905{F81F30E6-D9BA-62DF-8100-000000006F02}38884056C:\Windows\system32\csrss.exe{F81F30E6-F460-62DF-5105-000000006F02}9400C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000280645Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:16.905{F81F30E6-F163-62DF-1F04-000000006F02}226410744C:\Temp\dcrat.exe{F81F30E6-F460-62DF-5105-000000006F02}9400C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\System32\windows.storage.dll+16e7eb|C:\Windows\System32\windows.storage.dll+16e501|C:\Windows\System32\windows.storage.dll+16e14e|C:\Windows\System32\windows.storage.dll+16f3f0|C:\Windows\System32\windows.storage.dll+16de9e|C:\Windows\System32\windows.storage.dll+fce6d|C:\Windows\System32\windows.storage.dll+fd5ac|C:\Windows\System32\windows.storage.dll+fc910|C:\Windows\System32\shell32.dll+49cdf|C:\Windows\System32\shell32.dll+49b6c|C:\Windows\System32\shell32.dll+498bc|C:\Windows\System32\shell32.dll+10d2c7|C:\Windows\System32\shell32.dll+10d225|UNKNOWN(00007FF984B29B5F) 154100x8000000000000000280644Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:16.916{F81F30E6-F460-62DF-5105-000000006F02}9400C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" "C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe"C:\Temp\dcrat.exe" 10341000x8000000000000000280643Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:16.905{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F460-62DF-5105-000000006F02}9400C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000280642Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:16.038{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3FE1D9070DD9FE8ABEDBCB0E2AE54A9D,SHA256=60D56F3805CCA74ADEF83E8F938D706CCD230B0A62E5CA2788DDA8E432E200CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000280695Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:17.389{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B2796AEBC64A9183505A0E63F3B2045,SHA256=AB37590FA1D21BFE80347023A4E110D10B7BE3ACE8521AC793900AB2B77A2492,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000280694Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:17.173{F81F30E6-D9BD-62DF-9000-000000006F02}46887284C:\Windows\Explorer.EXE{F81F30E6-F461-62DF-5305-000000006F02}9612C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280693Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:17.173{F81F30E6-D9BD-62DF-9000-000000006F02}46887284C:\Windows\Explorer.EXE{F81F30E6-F461-62DF-5305-000000006F02}9612C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280692Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:17.173{F81F30E6-D9BD-62DF-9000-000000006F02}46887284C:\Windows\Explorer.EXE{F81F30E6-F461-62DF-5305-000000006F02}9612C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280691Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:17.173{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F461-62DF-5305-000000006F02}9612C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280690Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:17.173{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F461-62DF-5305-000000006F02}9612C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280689Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:17.158{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-F461-62DF-5305-000000006F02}9612C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280688Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:17.158{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F461-62DF-5305-000000006F02}9612C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280687Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:17.158{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F461-62DF-5305-000000006F02}9612C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280686Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:17.158{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F461-62DF-5305-000000006F02}9612C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280685Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:17.158{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F461-62DF-5305-000000006F02}9612C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280684Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:17.140{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F461-62DF-5305-000000006F02}9612C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280683Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:17.139{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F461-62DF-5305-000000006F02}9612C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280682Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:17.139{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F461-62DF-5305-000000006F02}9612C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280681Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:17.139{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F461-62DF-5305-000000006F02}9612C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280680Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:17.105{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-F461-62DF-5305-000000006F02}9612C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280679Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:17.089{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F461-62DF-5305-000000006F02}9612C:\Windows\system32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280678Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:17.089{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F461-62DF-5305-000000006F02}9612C:\Windows\system32\notepad.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000053755Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:17.293{53069400-D97D-62DF-1E00-000000007002}1940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=03345DD0ED23B6B34189A8F451EE3267,SHA256=C60C10D8AC128ADAB2B60367D406B6DFC30ECC9126DA33E78B79D84EF2913276,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000053754Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:15.270{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal51055-false10.0.1.12-8000- 10341000x8000000000000000280677Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:17.042{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280676Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:17.042{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280675Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:17.041{F81F30E6-D9BA-62DF-8100-000000006F02}38884056C:\Windows\system32\csrss.exe{F81F30E6-F461-62DF-5305-000000006F02}9612C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000280674Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:17.041{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280673Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:17.041{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280672Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:17.040{F81F30E6-F460-62DF-5105-000000006F02}94009420C:\Windows\system32\cmd.exe{F81F30E6-F461-62DF-5305-000000006F02}9612C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8564|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000280671Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:17.040{F81F30E6-F461-62DF-5305-000000006F02}9612C:\Windows\System32\notepad.exe10.0.14393.4169 (rs1_release.210107-1130)NotepadMicrosoft® Windows® Operating SystemMicrosoft CorporationNOTEPAD.EXEnotepad.exe C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=BA78FCF8CA9D806C6C047357E31748DE,SHA256=34A07759492E31AEC2A009505FE8DFB50242375C4308AD4657B2872F4F75A077,IMPHASH=968239BE2020F1C0DAFFDCDBD49E9C82{F81F30E6-F460-62DF-5105-000000006F02}9400C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" " 10341000x8000000000000000280670Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:17.040{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F461-62DF-5305-000000006F02}9612C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280669Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:17.005{F81F30E6-D9BD-62DF-9000-000000006F02}46887284C:\Windows\Explorer.EXE{F81F30E6-F460-62DF-5105-000000006F02}9400C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280668Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:17.005{F81F30E6-D9BD-62DF-9000-000000006F02}46887284C:\Windows\Explorer.EXE{F81F30E6-F460-62DF-5105-000000006F02}9400C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280667Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:17.005{F81F30E6-D9BD-62DF-9000-000000006F02}46887284C:\Windows\Explorer.EXE{F81F30E6-F460-62DF-5105-000000006F02}9400C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280666Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:17.005{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F460-62DF-5205-000000006F02}9416C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280665Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:17.005{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F460-62DF-5205-000000006F02}9416C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280705Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:18.242{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280704Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:18.242{F81F30E6-D9BD-62DF-9000-000000006F02}46887284C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280703Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:18.242{F81F30E6-D9BD-62DF-9000-000000006F02}46887284C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280702Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:18.242{F81F30E6-D9BD-62DF-9000-000000006F02}46887284C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280701Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:18.242{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280700Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:18.242{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280699Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:18.242{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280698Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:18.242{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000280697Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:18.120{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B56D9824410A78544885AFBA8452FA2C,SHA256=0BD68DAA719F3671DCB807D5C7E2B603523CD963400F62AD30194D48C714354A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053756Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:18.074{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD6BC08ADD0C1538AB9C550B5E1A127C,SHA256=B382B0F9717D9729A0C35FC62680B5923B1AF11431AD3E5765B844470DDE9A72,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000280696Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:18.004{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=756DE43D46498A5AF978A9FAD8873738,SHA256=39E2813A563171E0553DD1814C2090B77E0C3C6809E1642DBFFC562DF13B9A66,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000280706Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:19.223{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=226A9D09493E496F21464E9F89163144,SHA256=303595295E9A67F8ADEAD6396E90CC1E9C50D68029C17EC4648C36B3034C80BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053757Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:19.168{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=141B1C56D98E82CA0C855AE38841F7AF,SHA256=2A184A77AB9BF27C0056A20DE4E0D010E22FAC698CFFC4019F0B938D7123DA8A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053758Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:20.262{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A9EDA5CAF76FD54090AA21703283E41,SHA256=8C01CA95EDD028B4B18AE2EC8EB09E9F9B0A5F0667A7849200A333C73329746E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000280768Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:20.976{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF330F47C69B98C307FBFD09581D4415,SHA256=AA322D316C92F1440B59E7F384107ED8E26D700FCC531E8A654EBFCED995F036,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000280767Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:20.877{F81F30E6-D9BD-62DF-9000-000000006F02}46887284C:\Windows\Explorer.EXE{F81F30E6-F464-62DF-5605-000000006F02}1196C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280766Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:20.877{F81F30E6-D9BD-62DF-9000-000000006F02}46887284C:\Windows\Explorer.EXE{F81F30E6-F464-62DF-5605-000000006F02}1196C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280765Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:20.877{F81F30E6-D9BD-62DF-9000-000000006F02}46887284C:\Windows\Explorer.EXE{F81F30E6-F464-62DF-5605-000000006F02}1196C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280764Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:20.877{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F464-62DF-5605-000000006F02}1196C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280763Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:20.861{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F464-62DF-5605-000000006F02}1196C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280762Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:20.861{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-F464-62DF-5605-000000006F02}1196C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280761Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:20.861{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F464-62DF-5605-000000006F02}1196C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280760Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:20.861{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F464-62DF-5605-000000006F02}1196C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280759Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:20.861{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F464-62DF-5605-000000006F02}1196C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280758Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:20.861{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F464-62DF-5605-000000006F02}1196C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280757Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:20.845{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F464-62DF-5605-000000006F02}1196C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280756Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:20.845{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F464-62DF-5605-000000006F02}1196C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280755Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:20.845{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F464-62DF-5605-000000006F02}1196C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280754Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:20.845{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F464-62DF-5605-000000006F02}1196C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280753Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:20.807{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280752Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:20.807{F81F30E6-D9BD-62DF-9000-000000006F02}46887284C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280751Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:20.807{F81F30E6-D9BD-62DF-9000-000000006F02}46887284C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280750Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:20.807{F81F30E6-D9BD-62DF-9000-000000006F02}46887284C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280749Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:20.776{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280748Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:20.776{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280747Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:20.776{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280746Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:20.776{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280745Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:20.776{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-F464-62DF-5605-000000006F02}1196C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280744Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:20.723{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F464-62DF-5605-000000006F02}1196C:\Windows\system32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280743Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:20.723{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F464-62DF-5605-000000006F02}1196C:\Windows\system32\notepad.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280742Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:20.676{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280741Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:20.676{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280740Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:20.676{F81F30E6-D9BA-62DF-8100-000000006F02}38884516C:\Windows\system32\csrss.exe{F81F30E6-F464-62DF-5605-000000006F02}1196C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000280739Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:20.676{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280738Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:20.676{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280737Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:20.676{F81F30E6-F464-62DF-5405-000000006F02}1015610152C:\Windows\system32\cmd.exe{F81F30E6-F464-62DF-5605-000000006F02}1196C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8564|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000280736Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:20.683{F81F30E6-F464-62DF-5605-000000006F02}1196C:\Windows\System32\notepad.exe10.0.14393.4169 (rs1_release.210107-1130)NotepadMicrosoft® Windows® Operating SystemMicrosoft CorporationNOTEPAD.EXEnotepad.exe C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=BA78FCF8CA9D806C6C047357E31748DE,SHA256=34A07759492E31AEC2A009505FE8DFB50242375C4308AD4657B2872F4F75A077,IMPHASH=968239BE2020F1C0DAFFDCDBD49E9C82{F81F30E6-F464-62DF-5405-000000006F02}10156C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" " 10341000x8000000000000000280735Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:20.676{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F464-62DF-5605-000000006F02}1196C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280734Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:20.660{F81F30E6-D9BD-62DF-9000-000000006F02}46887284C:\Windows\Explorer.EXE{F81F30E6-F464-62DF-5405-000000006F02}10156C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280733Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:20.660{F81F30E6-D9BD-62DF-9000-000000006F02}46887284C:\Windows\Explorer.EXE{F81F30E6-F464-62DF-5405-000000006F02}10156C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280732Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:20.660{F81F30E6-D9BD-62DF-9000-000000006F02}46887284C:\Windows\Explorer.EXE{F81F30E6-F464-62DF-5405-000000006F02}10156C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280731Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:20.660{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F464-62DF-5505-000000006F02}10160C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280730Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:20.660{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F464-62DF-5505-000000006F02}10160C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280729Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:20.644{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-F464-62DF-5405-000000006F02}10156C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280728Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:20.644{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F464-62DF-5405-000000006F02}10156C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280727Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:20.644{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F464-62DF-5405-000000006F02}10156C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280726Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:20.644{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F464-62DF-5405-000000006F02}10156C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280725Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:20.644{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F464-62DF-5405-000000006F02}10156C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280724Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:20.644{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F464-62DF-5505-000000006F02}10160C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280723Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:20.644{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F464-62DF-5505-000000006F02}10160C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280722Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:20.644{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F464-62DF-5505-000000006F02}10160C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280721Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:20.644{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F464-62DF-5505-000000006F02}10160C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280720Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:20.623{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F464-62DF-5505-000000006F02}10160C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280719Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:20.623{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F464-62DF-5505-000000006F02}10160C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280718Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:20.607{F81F30E6-F464-62DF-5505-000000006F02}101609336C:\Windows\system32\conhost.exe{F81F30E6-F464-62DF-5405-000000006F02}10156C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280717Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:20.607{F81F30E6-D9BA-62DF-8100-000000006F02}38882172C:\Windows\system32\csrss.exe{F81F30E6-F464-62DF-5505-000000006F02}10160C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000280716Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:20.607{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F464-62DF-5505-000000006F02}10160C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280715Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:20.607{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280714Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:20.607{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280713Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:20.591{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280712Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:20.591{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280711Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:20.591{F81F30E6-D9BA-62DF-8100-000000006F02}38884516C:\Windows\system32\csrss.exe{F81F30E6-F464-62DF-5405-000000006F02}10156C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000280710Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:20.591{F81F30E6-F163-62DF-1F04-000000006F02}226410084C:\Temp\dcrat.exe{F81F30E6-F464-62DF-5405-000000006F02}10156C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\System32\windows.storage.dll+16e7eb|C:\Windows\System32\windows.storage.dll+16e501|C:\Windows\System32\windows.storage.dll+16e14e|C:\Windows\System32\windows.storage.dll+16f3f0|C:\Windows\System32\windows.storage.dll+16de9e|C:\Windows\System32\windows.storage.dll+fce6d|C:\Windows\System32\windows.storage.dll+fd5ac|C:\Windows\System32\windows.storage.dll+fc910|C:\Windows\System32\shell32.dll+49cdf|C:\Windows\System32\shell32.dll+49b6c|C:\Windows\System32\shell32.dll+498bc|C:\Windows\System32\shell32.dll+10d2c7|C:\Windows\System32\shell32.dll+10d225|UNKNOWN(00007FF984B29B5F) 154100x8000000000000000280709Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:20.605{F81F30E6-F464-62DF-5405-000000006F02}10156C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" "C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe"C:\Temp\dcrat.exe" 10341000x8000000000000000280708Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:20.591{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F464-62DF-5405-000000006F02}10156C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000280707Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:20.260{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F951E396D8F7E7C7B34ACD399746420,SHA256=E9C53B9E6116203469FE39219204358AC566D8851E14CBA060B736329AD3FE56,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053759Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:21.355{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=626C0D70514954DE517CDB68F9A51698,SHA256=AA8930FFB14CF182789AF57B2C46580E58AD8CF67F6EA0AE0709B348CB3FF969,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000280769Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:21.292{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6DA7C469A393B3DA27C003F9CF1F146,SHA256=37050448D4C7D470D9E6DF424F68015D9F6F53A5D4E23F632D3ABCAB4BD0CCD7,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000053761Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:21.224{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal51056-false10.0.1.12-8000- 23542300x800000000000000053760Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:22.449{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DFDC0C0ACAED53313F014CFC8CA8AA80,SHA256=D4F865904C79C96A8E17E6331F7C76B4E9BD58828EDFE53DF69F46E6B93CC0B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000280771Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:22.323{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1513B0C3793BE7B3983AA030E0DB46C6,SHA256=E824795603C37A85AFD4B5C8F3AFEA9B0FCCFED0CDD5631E9ADDAA82EEFAD5DE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000280770Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:19.073{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local64990-false10.0.1.12-8000- 23542300x800000000000000053762Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:23.543{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D51F61C1437C020C82CEDE7123470DE1,SHA256=BD989461007853A398E85894128E79E35F3C790D2CF2CE694584A184CA78C10D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000280772Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:23.374{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D441A7A8D28EC3D646C8767E2005EFC4,SHA256=C48A8B2CAEA82C64718A62050C092893878F1ED161DF4AB3D28C45C732195508,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053763Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:24.746{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21C6D890CFB46A54EB03249ACF5248BD,SHA256=3AB2D5F9C17058E3BEF288C95E050E7F9A6FB69CA82A51D856A2BEC5BC3248F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000280773Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:24.420{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4F939919D1CA45D03BCFD3FB26E7016,SHA256=3AE1899EE685BD38EF9030AD202CCF41CD5DFA77FB4D073BA8B5FBCBC5319C2C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053765Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:25.838{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE9752785662F91948D17F370219515C,SHA256=4F115ADC4E4D31E63BEA25CD9CA3934C2BD494C5EB1155B18B330F32154E7266,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000280774Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:25.559{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21F1513FE185F45092A17A3AE95C4A6A,SHA256=CC17F4778A9347248B34417A54329353072BE3642B51CB97E672BF8A5D9B28DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053764Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:25.705{53069400-D97D-62DF-1C00-000000007002}1896NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0923b0b66bc46ec04\channels\health\respondent-20220726120936-111MD5=F10909D358012860607A88999540BE61,SHA256=618099B8C52552D13629F748BAC7127C20F9D45615160D64360388A771E36D7B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053767Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:26.929{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6CC77CD26A05CFC7F47365004E4ABF9D,SHA256=FC94E4A5D4A53A7A2A8F9DA1A8D548F287197A3F9B1D995ABD5DB4828EF3EF9D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000280775Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:26.589{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5922205ABFB9DFC01971C5DB550016F5,SHA256=215802F3F312EDC915204F3F4E804BDD3645EEBCE37080ECF3110B07CFD8E3B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053766Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:26.713{53069400-D97D-62DF-1C00-000000007002}1896NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0923b0b66bc46ec04\channels\health\surveyor-20220726120934-112MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000280777Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:27.737{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F25BC9A6B75E1084E1E9A5D611E01C2F,SHA256=E530AFCC59C0CB7382855D7E63D9799EB882B031E2392A2E09E3B9C10E6A8C72,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000053768Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:26.300{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal51057-false10.0.1.12-8000- 354300x8000000000000000280776Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:24.204{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local64991-false10.0.1.12-8000- 23542300x8000000000000000280778Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:28.787{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60E0F68FA8D328F50F81EC0CE2F7975D,SHA256=FF97D11644FD617198D3E4B6FDC4993A7B76A5CF18BA291075983A3ED8465CDE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053769Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:28.025{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F9BA4F6579568CFB765D0EE37DC7A20,SHA256=120BC70682E1DFCF76D2EA959455EBF97270ECB534460FE77BA5A778133090A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000280779Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:29.821{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7FCE392FC854FDEC54F3815CF011BDBC,SHA256=2F66893127E599C4C303A4B527EC44B1F757CBECE80DCA9D9D36110C808C3617,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053770Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:29.119{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E134B1BB25D641947DA1A826CA69205,SHA256=8149D44F0D85F59E7C48782C362F132E151CA840C173F5F33A5BDF1E07F447CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000280780Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:30.958{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8DC42DC5D9D5DDDFA6E1478C23A7FBA,SHA256=346D8C7DB6342E0738274CD45C121E726D259819C90EFD9945B5EB281B7793CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053771Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:30.213{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=774AEB32C776F3B5294A2DC5B8AA5CBF,SHA256=4247F3A660A93AD277F6F219DEFD7D6E76A8E7F430D5014BF48CF4E2221926F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053772Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:31.306{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=241524B9311BC5CB03A5B64307570FFB,SHA256=390626AE55B070F114502BF1EDBE1BC805F605573AD1A023DD49043FF24FEAE7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000280820Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:31.788{F81F30E6-D98A-62DF-2E00-000000006F02}2780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=A6FAAA028F068B83F50EF81F986C97D1,SHA256=7BE544EBEB782BB0BAFD78E4605F2BB100F5E35FE8D97E8ED1EFBC8BA5720343,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000280819Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:31.657{F81F30E6-DAB4-62DF-BF00-000000006F02}2464ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\e57grxtg.default-release\datareporting\glean\db\data.safe.binMD5=56974905B9DEE5CAF5736EA459235B30,SHA256=05A41A9107B1811339664E014C060177177956F5D9D95E642113F0E01756DDAE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000280818Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:31.257{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2C00-000000006F02}2668C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280817Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:31.257{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2C00-000000006F02}2668C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280816Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:31.257{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BE-62DF-9400-000000006F02}5104C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280815Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:31.257{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BE-62DF-9400-000000006F02}5104C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280814Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:31.257{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BE-62DF-9400-000000006F02}5104C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280813Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:31.257{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BE-62DF-9300-000000006F02}5000C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280812Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:31.257{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BE-62DF-9300-000000006F02}5000C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280811Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:31.257{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BE-62DF-9300-000000006F02}5000C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280810Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:31.257{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BE-62DF-9300-000000006F02}5000C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280809Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:31.257{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BE-62DF-9300-000000006F02}5000C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280808Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:31.257{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BE-62DF-9300-000000006F02}5000C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280807Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:31.257{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BE-62DF-9300-000000006F02}5000C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280806Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:31.257{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BE-62DF-9300-000000006F02}5000C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280805Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:31.257{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BE-62DF-9300-000000006F02}5000C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280804Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:31.257{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BD-62DF-9000-000000006F02}4688C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280803Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:31.257{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BD-62DF-9000-000000006F02}4688C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280802Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:31.257{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BD-62DF-9000-000000006F02}4688C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280801Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:31.257{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BD-62DF-9000-000000006F02}4688C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280800Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:31.257{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BD-62DF-9000-000000006F02}4688C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280799Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:31.257{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BD-62DF-9000-000000006F02}4688C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280798Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:31.257{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BD-62DF-9000-000000006F02}4688C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280797Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:31.257{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BD-62DF-9000-000000006F02}4688C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280796Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:31.257{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BD-62DF-9000-000000006F02}4688C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280795Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:31.257{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BD-62DF-9000-000000006F02}4688C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280794Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:31.257{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BD-62DF-9000-000000006F02}4688C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280793Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:31.257{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BD-62DF-9000-000000006F02}4688C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280792Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:31.257{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BD-62DF-9000-000000006F02}4688C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280791Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:31.257{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BD-62DF-9000-000000006F02}4688C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280790Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:31.257{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BD-62DF-9000-000000006F02}4688C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280789Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:31.257{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BD-62DF-9000-000000006F02}4688C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280788Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:31.257{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BD-62DF-9000-000000006F02}4688C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280787Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:31.257{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BD-62DF-9000-000000006F02}4688C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280786Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:31.257{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BD-62DF-9000-000000006F02}4688C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280785Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:31.257{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BD-62DF-9000-000000006F02}4688C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280784Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:31.257{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BD-62DF-9000-000000006F02}4688C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280783Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:31.257{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BD-62DF-9000-000000006F02}4688C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280782Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:31.257{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BD-62DF-9000-000000006F02}4688C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280781Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:31.257{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BD-62DF-9000-000000006F02}4688C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000053773Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:32.400{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12CEE1149A4ABA3800065644C253E0F7,SHA256=561F32C724829CE1F73E21C44DE7EF775D4D1B7D3D544398A055E746D23E102D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000280839Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:32.922{F81F30E6-F470-62DF-5805-000000006F02}1087210876C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280838Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:32.706{F81F30E6-D98B-62DF-3600-000000006F02}31323152C:\Windows\system32\conhost.exe{F81F30E6-F470-62DF-5805-000000006F02}10872C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280837Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:32.706{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280836Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:32.706{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280835Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:32.706{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280834Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:32.706{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280833Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:32.706{F81F30E6-D97A-62DF-0500-000000006F02}41292C:\Windows\system32\csrss.exe{F81F30E6-F470-62DF-5805-000000006F02}10872C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000280832Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:32.706{F81F30E6-D98A-62DF-2E00-000000006F02}27803956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F81F30E6-F470-62DF-5805-000000006F02}10872C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000280831Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:32.707{F81F30E6-F470-62DF-5805-000000006F02}10872C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F81F30E6-D97A-62DF-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000280830Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:32.443{F81F30E6-F470-62DF-5705-000000006F02}1085610860C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000280829Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:32.405{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B81B6AD3B3D7C46F885409076B21774,SHA256=E73087B4C16646937AB5BDC5F698792843D0416CC3EDF85152C731A973FD19D4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000280828Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:32.204{F81F30E6-D98B-62DF-3600-000000006F02}31323152C:\Windows\system32\conhost.exe{F81F30E6-F470-62DF-5705-000000006F02}10856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280827Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:32.204{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280826Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:32.204{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280825Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:32.204{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280824Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:32.204{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280823Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:32.204{F81F30E6-D97A-62DF-0500-000000006F02}412428C:\Windows\system32\csrss.exe{F81F30E6-F470-62DF-5705-000000006F02}10856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000280822Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:32.204{F81F30E6-D98A-62DF-2E00-000000006F02}27803956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F81F30E6-F470-62DF-5705-000000006F02}10856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000280821Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:32.205{F81F30E6-F470-62DF-5705-000000006F02}10856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{F81F30E6-D97A-62DF-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000053774Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:33.494{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86E4C31B60A42070093ADDE9135AC808,SHA256=BFA9D25FE1589BB2F941482D227B71D53AC3C034688BE6C820F962D22D780C7D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000280850Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:33.390{F81F30E6-D98B-62DF-3600-000000006F02}31323152C:\Windows\system32\conhost.exe{F81F30E6-F471-62DF-5905-000000006F02}11052C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280849Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:33.390{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280848Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:33.390{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280847Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:33.390{F81F30E6-D97A-62DF-0500-000000006F02}41292C:\Windows\system32\csrss.exe{F81F30E6-F471-62DF-5905-000000006F02}11052C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000280846Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:33.390{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280845Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:33.390{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280844Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:33.390{F81F30E6-D98A-62DF-2E00-000000006F02}27803956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F81F30E6-F471-62DF-5905-000000006F02}11052C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000280843Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:33.391{F81F30E6-F471-62DF-5905-000000006F02}11052C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F81F30E6-D97A-62DF-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000280842Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:33.321{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=950A971D904851DE0F0D9ABB03E8535E,SHA256=294EDD45E4CC81DDF764B6FA6594BA8ED5792CBDD1A9B6551228DE663C814ABB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000280841Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:33.306{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=508EE56878EC7DB95BEB16465849AC3C,SHA256=2E5829A13BE9853AF71277044188B5C53A51169D673CE2D21E6BEFA51C785769,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000280840Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:30.217{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local64992-false10.0.1.12-8000- 23542300x800000000000000053777Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:34.588{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE80968A87C3DA989E7117EDA8DA1440,SHA256=F015FD44CEE251352C69644D57818127304E1027EB8242F4D7BD2F50B28C1781,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000280879Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:34.823{F81F30E6-D97C-62DF-1000-000000006F02}448NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=B1D9F6CCE5836681287B9C6A9D3CFDB1,SHA256=F7CFF92907442D1912A17DEAB4AE5B018F0111C8DC387972E6C856108F9B1650,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000280878Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:34.623{F81F30E6-D98B-62DF-3600-000000006F02}31323152C:\Windows\system32\conhost.exe{F81F30E6-F472-62DF-5B05-000000006F02}11140C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280877Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:34.623{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280876Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:34.623{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280875Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:34.623{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280874Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:34.623{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280873Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:34.623{F81F30E6-D97A-62DF-0500-000000006F02}412428C:\Windows\system32\csrss.exe{F81F30E6-F472-62DF-5B05-000000006F02}11140C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000280872Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:34.623{F81F30E6-D98A-62DF-2E00-000000006F02}27803956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F81F30E6-F472-62DF-5B05-000000006F02}11140C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000280871Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:34.625{F81F30E6-F472-62DF-5B05-000000006F02}11140C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F81F30E6-D97A-62DF-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 13241300x8000000000000000280870Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-SetValue2022-07-26 14:04:34.561{F81F30E6-D97A-62DF-0B00-000000006F02}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000280869Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-SetValue2022-07-26 14:04:34.561{F81F30E6-D97A-62DF-0B00-000000006F02}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x006961b8) 13241300x8000000000000000280868Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-SetValue2022-07-26 14:04:34.561{F81F30E6-D97A-62DF-0B00-000000006F02}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d8a0f0-0x4094d035) 13241300x8000000000000000280867Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-SetValue2022-07-26 14:04:34.561{F81F30E6-D97A-62DF-0B00-000000006F02}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d8a0f8-0xa2593835) 13241300x8000000000000000280866Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-SetValue2022-07-26 14:04:34.561{F81F30E6-D97A-62DF-0B00-000000006F02}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d8a101-0x041da035) 13241300x8000000000000000280865Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-SetValue2022-07-26 14:04:34.561{F81F30E6-D97A-62DF-0B00-000000006F02}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000280864Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-SetValue2022-07-26 14:04:34.561{F81F30E6-D97A-62DF-0B00-000000006F02}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x006961b8) 13241300x8000000000000000280863Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-SetValue2022-07-26 14:04:34.561{F81F30E6-D97A-62DF-0B00-000000006F02}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d8a0f0-0x4094d035) 13241300x8000000000000000280862Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-SetValue2022-07-26 14:04:34.561{F81F30E6-D97A-62DF-0B00-000000006F02}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d8a0f8-0xa2593835) 13241300x8000000000000000280861Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-SetValue2022-07-26 14:04:34.561{F81F30E6-D97A-62DF-0B00-000000006F02}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d8a101-0x041da035) 23542300x8000000000000000280860Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:34.424{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BAE39957AAA1E33CFD82C978C8F76024,SHA256=8257B225B525AA8B462E484611A3943F11F5EC34736E4A24AEC98FABCBC85FB9,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000053776Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:32.253{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal51058-false10.0.1.12-8000- 23542300x800000000000000053775Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:34.072{53069400-D97D-62DF-1100-000000007002}980NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=1ED6CA55804806F8059C182638AB7235,SHA256=86B2EA706EA746B50481B53F0135A1DF031EC87932A5D5CBDAC2DE9A91D55638,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000280859Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:34.324{F81F30E6-F472-62DF-5A05-000000006F02}1108011112C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280858Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:34.061{F81F30E6-D98B-62DF-3600-000000006F02}31323152C:\Windows\system32\conhost.exe{F81F30E6-F472-62DF-5A05-000000006F02}11080C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280857Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:34.061{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280856Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:34.061{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280855Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:34.061{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280854Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:34.061{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280853Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:34.061{F81F30E6-D97A-62DF-0500-000000006F02}41292C:\Windows\system32\csrss.exe{F81F30E6-F472-62DF-5A05-000000006F02}11080C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000280852Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:34.061{F81F30E6-D98A-62DF-2E00-000000006F02}27803956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F81F30E6-F472-62DF-5A05-000000006F02}11080C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000280851Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:34.062{F81F30E6-F472-62DF-5A05-000000006F02}11080C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F81F30E6-D97A-62DF-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000053778Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:35.681{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A588D4587D2C0DDF5E0403A93ABE8B23,SHA256=0291D4AB7CFDB65FAE5A0B859BB747D726574D5863D5A00FCE9C8E60BA248403,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000280897Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:35.959{F81F30E6-D98B-62DF-3600-000000006F02}31323152C:\Windows\system32\conhost.exe{F81F30E6-F473-62DF-5D05-000000006F02}11180C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280896Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:35.959{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280895Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:35.959{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280894Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:35.959{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280893Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:35.959{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280892Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:35.959{F81F30E6-D97A-62DF-0500-000000006F02}412428C:\Windows\system32\csrss.exe{F81F30E6-F473-62DF-5D05-000000006F02}11180C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000280891Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:35.959{F81F30E6-D98A-62DF-2E00-000000006F02}27803956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F81F30E6-F473-62DF-5D05-000000006F02}11180C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000280890Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:35.960{F81F30E6-F473-62DF-5D05-000000006F02}11180C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F81F30E6-D97A-62DF-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000280889Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:35.560{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0786452FBE50892DFF650F0149133EA,SHA256=E3FB4DAAFC83EE15D3105D19ED7840D3D94AADF858483EFF2794FBBC5724533C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000280888Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:35.491{F81F30E6-F473-62DF-5C05-000000006F02}1073210712C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280887Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:35.291{F81F30E6-D98B-62DF-3600-000000006F02}31323152C:\Windows\system32\conhost.exe{F81F30E6-F473-62DF-5C05-000000006F02}10732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280886Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:35.291{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280885Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:35.291{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280884Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:35.291{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280883Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:35.291{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280882Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:35.291{F81F30E6-D97A-62DF-0500-000000006F02}41292C:\Windows\system32\csrss.exe{F81F30E6-F473-62DF-5C05-000000006F02}10732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000280881Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:35.291{F81F30E6-D98A-62DF-2E00-000000006F02}27803956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F81F30E6-F473-62DF-5C05-000000006F02}10732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000280880Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:35.292{F81F30E6-F473-62DF-5C05-000000006F02}10732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F81F30E6-D97A-62DF-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000053779Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:36.776{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9727F3FD3EF8823119C897E2A18609A7,SHA256=ADB432E5658BC867169C9FBE4C65F34B5160B0EB0B10DC262AE5E3538CDC4FDB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000280899Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:36.675{F81F30E6-DAB4-62DF-BF00-000000006F02}2464ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\e57grxtg.default-release\datareporting\glean\db\data.safe.binMD5=3DD1567091B3F57554E35101469AC32E,SHA256=B0DAAF6E8702FC3605F28C31E9815CC373A5CD8C7E38D348825F1E930AD5B890,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000280898Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:36.605{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D261D107B5EAF6B98D5D06C2B550D65,SHA256=A7E5BA07AB7F3162B59BB5638BE5851565F275195DA2B61ED12443A6DACD8DB1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053780Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:37.870{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A378D4EF43AE48BFA173C9753324F23B,SHA256=1724F3C3A2CB3D414977C56492D0B18904CD7CBE1FCC3173C5CDF70266F6BF8F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000280900Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:37.638{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1EC978F4B3997EECE9A257727F11FB4,SHA256=EB539350D0C6A637B3F95445AB078B48476B93B2D9E2A959C130946A86096CBE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053781Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:38.964{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77F6ACB76E553FA28E8187234C55F033,SHA256=80DC2A002604439AFC89587BF0FC29336EDD6FAA562DE10292788CDC6F0DB9AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000280902Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:38.774{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99722102CB9E57FB10A2C46DA5A2EEA0,SHA256=965A91CF2BB14F1963E0E200AE77CD0816722C10FB565CF689E79687493CB253,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000280901Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:36.087{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local64993-false10.0.1.12-8000- 23542300x8000000000000000280904Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:39.992{F81F30E6-D98A-62DF-2900-000000006F02}2592NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f0cc84e036a5373b\channels\health\respondent-20220726120948-111MD5=369DD308E953FB115558C25A87FA7436,SHA256=F8D888C61BEF90997E9DA9024DED7AC04FA2757575784335A529296D09245F18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000280903Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:39.920{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4465C8FE63A106965A632039890D596A,SHA256=EDA5F4016F72305389D5D8E2919582F86976986DADCCCFA02FD7652D45FF8E4B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000053782Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:37.273{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal51059-false10.0.1.12-8000- 23542300x800000000000000053783Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:40.058{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0FFCFB1539058DFBB6B810E341C7912D,SHA256=9DBB906568A6941DB7B4FD1799448DECFCB1AF00DAC58B50E01870A68A03C7B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053784Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:41.151{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE812980FED938A132C3E9A922D17967,SHA256=1D5C18973D2A8702BC2D031E2E5F70C5452CBA26E8FB91FBC768F01736694ED3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000280906Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:41.035{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C92320924BBD4595541495592F8ED19C,SHA256=35CEF9D1548F25699DD909180BB5122CB3511F43CC43D858BF780333FC79646C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000280905Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:41.005{F81F30E6-D98A-62DF-2900-000000006F02}2592NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f0cc84e036a5373b\channels\health\surveyor-20220726120946-112MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053785Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:42.245{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A63F1D98A254A17A405042852B5CE232,SHA256=40594711B4E278EACFDCBF02D70274D21C6DD5E4CEBBC4D517969D03501546CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000280907Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:42.072{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=936E799D34B3BF2B6A3A9A274375421D,SHA256=70981BEA7B9A3501F0564D051B9E34F68064B22A98618ED7113CD46256933D2C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053786Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:43.339{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84D6C1A43990E203B8128645E1B484CE,SHA256=47D18A17362837DC9DBB26C04E506619D61AA449FB9AA38504818B2A3E2C852F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000280909Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:41.205{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local64994-false10.0.1.12-8000- 23542300x8000000000000000280908Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:43.117{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4533244D381717F13B615AC16D7A1352,SHA256=CEBA0867E032E60A294185B5168C5F9E867A0DA15A9444DB63FBA06FE1D84A41,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053788Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:44.433{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A76651E54BFCFA2BB485005167D4BE90,SHA256=9CB9637906241A1A9BA7CF85AE7C0DFBF587BDA3C823BAFF06EB9B4977412085,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000280910Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:44.269{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45D01C94D53269D330133CDD10F96F50,SHA256=E6FD4F5B1E4FE13B3E9B0A0CAEDCB3A7257735235399031F40D041B5A1642C63,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000053787Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:43.161{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal51060-false10.0.1.12-8000- 23542300x800000000000000053789Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:45.526{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5B9C3D2B51CC7E5DCAE77AD8D6A9D0F,SHA256=AA6EF4B28EC0B862947EC70D1CF8B050E805869A5E346135552D0887DD3C9644,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000280911Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:45.432{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=567024D6A8E6DE6944532DA2138DA742,SHA256=53100D2795E7158F95D401EFD98BF26584BFF7C09D5775467C4B08216927CF16,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053791Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:46.620{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56A76A4C105867735AAFA1009DFE3D71,SHA256=0AB2BB786F7CF9964658C66A5024FA374B4936F2737B33E9AB394F5FCEC878D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000280912Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:46.582{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD596A5232B1ABAC2A066D92701411E9,SHA256=0ED86AD7C38683530C7DD527DF79AEDF49863863C8C41A2E629901B023FD6783,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053790Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:46.073{53069400-D97D-62DF-1E00-000000007002}1940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=179B82772CA5CC0B7A1E30B10EC3DA68,SHA256=BB39CA45713EEF29F8964A50A9025571F90083A2F6169622A7CAAB4EAC5409CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053794Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:47.714{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82156BEBE3AC9CDCE0816381E634FD66,SHA256=C4C0440E7F1973AE7C433ACF40AB27329287C4CB625A0E8497F65081C0B998B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000280913Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:47.712{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6C61020526F84853B8E8F6EECB27D82,SHA256=3D699F865E1054C76594DEDB9510C43DD91F9A6AE6D95D827740B0923D2520D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053793Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:47.620{53069400-D97D-62DF-1E00-000000007002}1940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=4AAA345FB3213F0C47F0E0B03DFA6D50,SHA256=5E8F5E9057B5A12BA906232E59446D5F2F0B965F8D62FB020C391894317BD6AE,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000053792Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:46.129{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal51061-false10.0.1.12-8089- 23542300x800000000000000053795Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:48.808{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89757F8767A2A4864FE62C2C5248F61A,SHA256=D6E32DAE28C7F86E1693D45CF0FAA54604276E3C66D544C20874EB9F23AB92E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000280915Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:48.750{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CF029A438CBDDD7F577452B21C557CB,SHA256=73FE054790F7B4AE87F5D84249C6991C9663123870C83278FC2ADD39B663F378,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000280914Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:46.226{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local64995-false10.0.1.12-8000- 23542300x800000000000000053797Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:49.901{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8300A4F7767FD40BBA3239AC622EFAFA,SHA256=1F23DC0345BD771C920318048CA0A0F776F9A8A64440955950C471146793C66E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000280917Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:49.865{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8BDCC67ED66D9D78DC1F5327A1F7CF3D,SHA256=869F11F6E2062D4C71EA442BDF5E553B3DB2B342D7C0581D840B33C4A1C3F2C1,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000053796Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:48.238{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal51062-false10.0.1.12-8000- 23542300x8000000000000000280916Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:49.050{F81F30E6-D98A-62DF-2E00-000000006F02}2780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=375770933B088FA1013E9C17F7ACFA9C,SHA256=12DC730ED0C3CEF15E2072F184E79ED116E6C7FEA32581084F03B1ADA228E22B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053798Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:50.995{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F676683ED23846EE1DAB3826D6D0DA6,SHA256=C070E961E56B4AC45BCB57A8D64953C472E1F0CA1ACB3261351BC0B6D5C1C566,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000280918Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:50.911{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F867F83FDEE8ADA89888067D798DA10,SHA256=B737FBD4F3A49597118449AAC3DE051F1BA2EDE1000F5FE186C8E090A82AC1F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000280921Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:51.947{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=914121F323E8F50DFF0FDD2F4331AB70,SHA256=8B0242AEC497CCB91AB58ACA905A4802500419DB5320B94BF310B3A23AD331E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000280920Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:51.727{F81F30E6-DAB4-62DF-BF00-000000006F02}2464ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\e57grxtg.default-release\datareporting\glean\db\data.safe.binMD5=802D08F77C39F074EBA5A8C4ED70CB78,SHA256=D5011CA0319EC171842AA86EBC2677414B3C890A9BA5DCDE81E8E41FC68690B5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000280919Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:48.063{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local64996-false10.0.1.12-8089- 23542300x800000000000000053799Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:52.089{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16A1AC55BEA10E3B184FA57471AC6E64,SHA256=BBE2B7BFB26D63757E8D2B133A44DD3C621DEB621F38F7596D23EC1C7268282A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053800Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:53.183{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B376F3608944D1CE0BE4E703051EB8E6,SHA256=A1AF0E8CE371B9A3F248FF03BA289AC845E3C0DED9125C677F8541804853912C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000280922Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:53.029{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=402F9867A903A8845494F2E048D45B2D,SHA256=3AA0D9BB56BDAB2FE95B544C864D5D1F36442F596C1F884918C8ADF2797B1E72,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000280923Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:54.080{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91E9A04CC703FE13C64B42195995A5D2,SHA256=CC88A171D16069E560CD150ACC5026DC3E17008F8FA3EECB6193C033A62C0471,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000053802Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:53.317{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal51063-false10.0.1.12-8000- 23542300x800000000000000053801Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:54.276{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7608F6D94846076ACCBC4D98F77D76FC,SHA256=67124D6A6756A11E0D5A5F1EA018FE71B9F72C0E6C7235E196709B8D8F9B0B3F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000280925Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:52.244{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local64997-false10.0.1.12-8000- 23542300x8000000000000000280924Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:55.110{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4AC86F343A7FA8E7134080F8FEB5EA4B,SHA256=5BDF0E3542AD1A9591839BBB2A05C887AEEA77C4389F16EA582E125DC53535D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053803Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:55.370{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E21AE3DB4603D6274F8F6828FA2B5D7C,SHA256=C85EB7E221657C9CE38B35E11CB9B0D029F1412CFF60790D91F2FA412271022B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053804Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:56.464{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=561DE9BD665657B81A75937F9E231329,SHA256=8308E18E04C1BECF957E031A1E09AEAAB2AEEAC2176929C76CC1265C6DF51CF4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000280926Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:56.229{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F98363008575505DFC54F6F4AAC07CB4,SHA256=E6BBE409003B09ED2782B72580DB51DC2E89F29DAAC93A68EEB90F75717A1394,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053805Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:57.558{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4EEC5E3F6C025EFD7CF80330397DFC93,SHA256=CB9059F81B92106F22E59BBB4FD041A8603AB85B898ADDFBE84C2EBBF6A044E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000280928Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:57.279{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4CE012900EA3C58F33AAFE3F9B498C7E,SHA256=56D2AB793207A7D3C6C81CB7937BE4CBE6A626EB055FFBDB1775E915FB94D634,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000280927Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-SetValue2022-07-26 14:04:57.247{F81F30E6-D97C-62DF-1100-000000006F02}440C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d8a0f8-0xaffee638) 23542300x800000000000000053806Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:58.651{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A05F4188A17D172306C491C8017F2844,SHA256=F3336B8AC485990D7BFC6EA04C9009FC78585A887AF04D6C734A353F19AB2930,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000280929Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:58.326{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3376B5FB9836672B4ECC20EB97F7B54C,SHA256=152D88DBC024E8ED6A5F937BF4A3BB3E21F234258865150526EE7E2227335B50,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053807Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:59.745{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E594B1AD8E30C44E56497314DE21754,SHA256=F264E40A5EBE093CAB8FB401139A93DD22B2E9DA7F6E7A181536EFC22296BE81,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000280932Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:59.461{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29555FB4AA20645A5484F83BF6A6A041,SHA256=D9437E80E932277752B8B72A8179B95EB53158E098ADC4A49B7076EDD4983E05,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000280931Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:59.008{F81F30E6-DAB4-62DF-BF00-000000006F02}2464ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\e57grxtg.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000280930Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:59.008{F81F30E6-DAB4-62DF-BF00-000000006F02}2464ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\e57grxtg.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shmMD5=65C1EE11284F7044DE0447C2CE68FB4A,SHA256=489B841533FE17593FF2E77DAF6D61E938CE36768B8C01830AF09069A55D8E9C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053809Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:05:00.839{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C13AFAC6B555C1C3DEA5E7357B2FD93D,SHA256=DE02F03C25CE6EBBA7D8A32DC419E37108952A72D8A2827D3EFE6E369A74BE2B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000053808Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:59.223{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal51064-false10.0.1.12-8000- 354300x8000000000000000280934Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:58.059{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local64998-false10.0.1.12-8000- 23542300x8000000000000000280933Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:05:00.507{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C31F64E3444FFCD64E855DD1D84D62A,SHA256=D426FCB5E64B3AC28F9DED0ED7EFF40FFDFA0A0B491A7A39EE91786173EA0538,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053810Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:05:01.933{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F0B1DC84250626DC15D77CF25ED755C,SHA256=30EED1EE7CB812502D14FB830DD3578C06589A04B7A1FD7A6F5F10063E5CAF71,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000280936Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:05:01.607{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4DC6075B30437C44BC721F6CCB68339,SHA256=35FAE6C1935F90BFAD1866A9CEB6DE26980A42CF76C26CCB21E786D4754952B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000280935Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:05:01.044{F81F30E6-D98A-62DF-2E00-000000006F02}2780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=EEB6EA1CD618D2DB3233E64AFFDE8AC7,SHA256=C2FAE001D8EDBFA6F52A74763027371BFBD7ED4D0E9726C0E1AAE603806B31B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000280937Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:05:02.693{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66D0D2E15323AF7ACB9991323E6DE775,SHA256=9C76D5CCCA40AE4FA9274EA1B581D366F50125890888D8654C47A4F4581A6EC5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000280939Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:05:03.826{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9D4EF4166D55FA20BB910F70A73D0FC3,SHA256=67A54D00BFC8FB58D6DEEF3F885F14B947E7A57CE90CF34745FD618666277973,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000280938Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:05:03.725{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE2AD1D36CC9A2E9B42FD65D8AE6B37A,SHA256=9755911FDCAD249C65ECD0C9B586A86712F415DEDA64648932F5620598735227,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053811Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:05:03.026{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0651D9B360F53F5C893980877807C244,SHA256=C6952396A48361F1E87683BCC3684C0EF016B55105C1E1E19A02623B2985519B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000280942Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:05:01.737{F81F30E6-D97A-62DF-0B00-000000006F02}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local64999-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local389ldap 354300x8000000000000000280941Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:05:01.737{F81F30E6-D98A-62DF-2600-000000006F02}2568C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local64999-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local389ldap 23542300x8000000000000000280940Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:05:04.747{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33C380EE36213DB64E348C1A2A14F1BC,SHA256=9396AB8611FE31C713AC2AE0B332B85C5C80A81A857FC8AEA993F20C3FBC66C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053812Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:05:04.120{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A692EEFEB22DA43C14A69B340354E5AE,SHA256=DB0EE15A24733E8482C941D0F216DD845C9F84F215C73D6E63890206F2ADC18A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000280944Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:05:03.073{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local65000-false10.0.1.12-8000- 23542300x8000000000000000280943Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:05:05.893{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FEB910FB7FE4C9F31853B8694A2C33DA,SHA256=1919472BE0BC3AC02FD6F0605A247CB501778B16369FDF6B04925515295AB64A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000053814Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:05:04.238{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal51065-false10.0.1.12-8000- 23542300x800000000000000053813Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:05:05.214{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F34D7ECD0FB3C26E6D0F6B6259DF72A6,SHA256=27A63E1E339C5F21CD7DA12EF5043CA7108C397935C49D25A1156F2960831B9F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053815Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:05:06.417{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=521656C9C7A6376E9743A8491E754D8D,SHA256=3F709717315F9B44F6A336C407CA81712DC4CBE667C2B44406BC65DACFC77D9F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053816Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:05:07.511{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9D40994DC273C41D5785ED04FBF40B7,SHA256=9368CD96BE9A812AEE3869C43349BA58E5B1028FD3224F1FED65EE40CCB268FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000280945Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:05:07.046{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4AC835E1D93332200F2ADCE45FE9BECA,SHA256=95DFE1A48D06A1BE34C2F113C641704FF42BE28BB8AB2A7417A87A383E9850CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053817Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:05:08.604{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69B7D10E58F1CFAF87524DC5B5319EB9,SHA256=4E12E3CF69CC66D27F74C59960C7CAB40D71FC799E87D521761340AAF4A42A76,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000280946Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:05:08.192{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99478AB44D6AC205A3078821E42124F7,SHA256=B3F01A79EE6AB79BBF251418A984E5F48C28F9B3DBE8E6FABD2EEA9E43AEE54F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053818Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:05:09.714{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=361F77ECFB1F205C6274C9C2B7E23542,SHA256=1E196F23348684A326F8455179E0BD811F96C2C6BBB7CB59DA999F1ACCCAE856,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000280947Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:05:09.324{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5ABDDF67612F9042E73D255D3308CBA,SHA256=7DC41EEDB634CBC78C5F042A8C5C91513D055692FBE0E5E38439F67A7D71A0B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053819Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:05:10.808{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=58CB92FEFA15AB88E758DC44A96EE160,SHA256=92FAB35B022C3FE09BD69DDD191311C4519C7A27107ED9BB76A59973ABDD2FA9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000280949Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:05:08.157{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local65001-false10.0.1.12-8000- 23542300x8000000000000000280948Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:05:10.359{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB20297D9306F64848BEF9FF7185B94D,SHA256=51D38A323186E291EF029FC949ACC6B640750A3AF59BE36C64A3DF5ADF68315F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053821Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:05:11.901{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68A1BF146E270A5E28C0C925395C3A3D,SHA256=7686B769EF8DAE10A5C291D14BF798C50671D9AE9732ED01C67D33D8B849AA55,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000053820Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:05:10.254{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal51066-false10.0.1.12-8000- 23542300x8000000000000000280950Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:05:11.389{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E32AF743717D3D698EC4E70C55589275,SHA256=8E21DBFC21B1E5C5D07918B7667947EEBC1B5DCA21FDD0ECB4DCD800B7D98EE4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000280951Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:05:12.441{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2CDD0576DBF9FE9D3207A40D98F6F0C,SHA256=9AC2C274978D3286CF2C9EB2A1DA9604C96AEF5385DC44D0F4301474869ADA72,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000053848Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:05:12.886{53069400-D97E-62DF-2900-000000007002}27802800C:\Windows\system32\conhost.exe{53069400-F498-62DF-A303-000000007002}3600C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053847Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:05:12.886{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053846Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:05:12.886{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053845Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:05:12.886{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053844Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:05:12.886{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053843Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:05:12.886{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053842Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:05:12.886{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053841Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:05:12.886{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053840Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:05:12.886{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053839Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:05:12.886{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053838Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:05:12.886{53069400-D97C-62DF-0500-000000007002}4121248C:\Windows\system32\csrss.exe{53069400-F498-62DF-A303-000000007002}3600C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000053837Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:05:12.886{53069400-D97D-62DF-1E00-000000007002}19402768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53069400-F498-62DF-A303-000000007002}3600C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000053836Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:05:12.886{53069400-F498-62DF-A303-000000007002}3600C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53069400-D97C-62DF-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000053835Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:05:12.417{53069400-F498-62DF-A203-000000007002}27964048C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053834Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:05:12.214{53069400-D97E-62DF-2900-000000007002}27802800C:\Windows\system32\conhost.exe{53069400-F498-62DF-A203-000000007002}2796C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053833Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:05:12.214{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053832Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:05:12.214{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053831Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:05:12.214{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053830Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:05:12.214{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053829Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:05:12.214{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053828Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:05:12.214{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053827Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:05:12.214{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053826Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:05:12.214{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053825Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:05:12.214{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053824Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:05:12.214{53069400-D97C-62DF-0500-000000007002}412428C:\Windows\system32\csrss.exe{53069400-F498-62DF-A203-000000007002}2796C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000053823Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:05:12.214{53069400-D97D-62DF-1E00-000000007002}19402768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53069400-F498-62DF-A203-000000007002}2796C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000053822Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:05:12.215{53069400-F498-62DF-A203-000000007002}2796C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53069400-D97C-62DF-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000280952Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:05:13.586{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=721635401B6CA55F0A87B789CCA5093C,SHA256=BC91189DBC6D9C31701039F3CEE9FA5DA74F6CA5F1ABFC802030E7B4DC354CA8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000053863Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:05:13.464{53069400-D97E-62DF-2900-000000007002}27802800C:\Windows\system32\conhost.exe{53069400-F499-62DF-A403-000000007002}3340C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053862Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:05:13.464{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053861Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:05:13.464{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053860Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:05:13.464{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053859Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:05:13.464{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053858Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:05:13.464{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053857Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:05:13.464{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053856Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:05:13.464{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053855Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:05:13.464{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053854Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:05:13.464{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053853Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:05:13.464{53069400-D97C-62DF-0500-000000007002}412428C:\Windows\system32\csrss.exe{53069400-F499-62DF-A403-000000007002}3340C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000053852Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:05:13.464{53069400-D97D-62DF-1E00-000000007002}19402768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53069400-F499-62DF-A403-000000007002}3340C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000053851Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:05:13.465{53069400-F499-62DF-A403-000000007002}3340C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53069400-D97C-62DF-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000053850Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:05:13.323{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DF07E170D448B8B3C1EE9D77C48498C4,SHA256=ECB007F8C8B424781ED9BA6DDEB183203A97B3D99C9E904E60D0D2DDC5E24E10,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053849Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:05:13.104{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=58C5CE19A7E1172D5D31AD40CD741C92,SHA256=21EA4486A581740CE9A35A8DFCF136FCCD447DB5E531A53278691FAD0780415C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000280953Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:05:14.738{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA435DC0AD00BFC1E750BDC532E62789,SHA256=9F3D247B997C6557644F72EA0CBEA54212979E263395E5752DF122A4EAB649BB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000053891Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:05:14.808{53069400-D97E-62DF-2900-000000007002}27802800C:\Windows\system32\conhost.exe{53069400-F49A-62DF-A603-000000007002}1632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053890Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:05:14.808{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053889Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:05:14.808{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053888Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:05:14.808{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053887Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:05:14.808{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053886Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:05:14.808{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053885Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:05:14.808{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053884Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:05:14.808{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053883Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:05:14.808{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053882Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:05:14.808{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053881Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:05:14.808{53069400-D97C-62DF-0500-000000007002}412540C:\Windows\system32\csrss.exe{53069400-F49A-62DF-A603-000000007002}1632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000053880Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:05:14.808{53069400-D97D-62DF-1E00-000000007002}19402768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53069400-F49A-62DF-A603-000000007002}1632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000053879Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:05:14.809{53069400-F49A-62DF-A603-000000007002}1632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{53069400-D97C-62DF-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000053878Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:05:14.323{53069400-F49A-62DF-A503-000000007002}38323680C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000053877Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:05:14.214{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C37B7B3E75892751BAEB6AF1A02CBE01,SHA256=954BCDB1E11B81E9490D8E911332A552FDBD1BB2FCEF6F8E4AD1FF7E38DF1AFC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000053876Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:05:14.136{53069400-D97E-62DF-2900-000000007002}27802800C:\Windows\system32\conhost.exe{53069400-F49A-62DF-A503-000000007002}3832C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053875Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:05:14.136{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053874Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:05:14.136{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053873Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:05:14.136{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053872Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:05:14.136{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053871Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:05:14.136{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053870Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:05:14.136{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053869Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:05:14.136{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053868Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:05:14.136{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053867Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:05:14.136{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053866Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:05:14.136{53069400-D97C-62DF-0500-000000007002}412540C:\Windows\system32\csrss.exe{53069400-F49A-62DF-A503-000000007002}3832C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000053865Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:05:14.136{53069400-D97D-62DF-1E00-000000007002}19402768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53069400-F49A-62DF-A503-000000007002}3832C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000053864Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:05:14.138{53069400-F49A-62DF-A503-000000007002}3832C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53069400-D97C-62DF-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000280954Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:05:15.884{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D579D13D6803051D27D53D9932D7277,SHA256=587E79CAEA7B60869E979398AA18B3E85609D83F3F87A767EE42FD8E509438CE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000053919Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:05:15.995{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053918Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:05:15.995{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053917Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:05:15.995{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053916Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:05:15.995{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053915Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:05:15.995{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053914Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:05:15.995{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053913Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:05:15.995{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053912Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:05:15.995{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053911Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:05:15.995{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053910Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:05:15.995{53069400-D97C-62DF-0500-000000007002}4121248C:\Windows\system32\csrss.exe{53069400-F49B-62DF-A803-000000007002}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000053909Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:05:15.995{53069400-D97D-62DF-1E00-000000007002}19402768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53069400-F49B-62DF-A803-000000007002}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000053908Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:05:15.996{53069400-F49B-62DF-A803-000000007002}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53069400-D97C-62DF-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000053907Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:05:15.776{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40E8ADFD5BF1AD87556048E10B159CCE,SHA256=B4C68A7AD1FB5717D5A7669C013D2E4E49C0332929DE9D50B50E8C82D47302EE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000053906Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:05:15.542{53069400-F49B-62DF-A703-000000007002}20803448C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053905Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:05:15.370{53069400-D97E-62DF-2900-000000007002}27802800C:\Windows\system32\conhost.exe{53069400-F49B-62DF-A703-000000007002}2080C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053904Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:05:15.370{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053903Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:05:15.370{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053902Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:05:15.370{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053901Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:05:15.370{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053900Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:05:15.370{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053899Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:05:15.370{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053898Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:05:15.370{53069400-D97C-62DF-0500-000000007002}412428C:\Windows\system32\csrss.exe{53069400-F49B-62DF-A703-000000007002}2080C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000053897Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:05:15.370{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053896Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:05:15.370{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053895Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:05:15.370{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053894Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:05:15.370{53069400-D97D-62DF-1E00-000000007002}19402768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53069400-F49B-62DF-A703-000000007002}2080C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000053893Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:05:15.371{53069400-F49B-62DF-A703-000000007002}2080C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53069400-D97C-62DF-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000053892Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:05:15.011{53069400-F49A-62DF-A603-000000007002}16321404C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000280955Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:05:16.936{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60B08B4E63430A24F0D12D280C0E8BD0,SHA256=30FD538F0630A74DBBE8ACD8C26A4B5EE1778539687935DCCF72775CE950F0E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053921Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:05:16.604{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=884DD5F063148EF1825B968462F891F7,SHA256=EF6D6198954D51AA31C85C4EDCE659B6C0513D01C1A416EDD4EB738BC6281F63,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000053920Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:05:15.995{53069400-D97E-62DF-2900-000000007002}27802800C:\Windows\system32\conhost.exe{53069400-F49B-62DF-A803-000000007002}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000280960Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:05:17.966{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54424029164759D52ACAA6E21F024542,SHA256=C7AD208621107FEA43D5F158599478A3FEE39754E99ECF27131DD1441B06882A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053923Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:05:17.823{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=617638E7F0ABC3941F5D35E12590C1DF,SHA256=D0253118AAE6A8D0B5FE6499E4E7557FD204EF1938637E751EBE09A79823878C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000280959Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:05:17.099{F81F30E6-D97A-62DF-0B00-000000006F02}6407868C:\Windows\system32\lsass.exe{F81F30E6-D978-62DF-0100-000000006F02}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+97d32|C:\Windows\system32\kerberos.DLL+7a118|C:\Windows\system32\kerberos.DLL+1454f|C:\Windows\system32\lsasrv.dll+2f5b1|C:\Windows\system32\lsasrv.dll+2d496|C:\Windows\system32\lsasrv.dll+32d29|C:\Windows\system32\lsasrv.dll+30677|C:\Windows\system32\lsasrv.dll+2f5b1|C:\Windows\system32\lsasrv.dll+176fd|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e 354300x8000000000000000280958Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:05:14.082{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local65002-false10.0.1.12-8000- 10341000x8000000000000000280957Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:05:16.998{F81F30E6-D97A-62DF-0B00-000000006F02}6407868C:\Windows\system32\lsass.exe{F81F30E6-D97C-62DF-1500-000000006F02}1228C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ee3c|C:\Windows\system32\lsasrv.dll+e76d4|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280956Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:05:16.998{F81F30E6-D97A-62DF-0B00-000000006F02}640844C:\Windows\system32\lsass.exe{F81F30E6-D97C-62DF-1500-000000006F02}1228C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ee3c|C:\Windows\system32\lsasrv.dll+e76d4|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000053922Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:05:17.073{53069400-D97D-62DF-1E00-000000007002}1940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=2FCD7B42B3751C63CADDAA9FCA13943F,SHA256=3D81891FED2E5764A7D958FEE1928A12DFD418678EA4E3FB672CF6304D5708EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053925Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:05:18.917{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3763BD1C138903B3AA056452E8706E0C,SHA256=1ECE736552BB0721F470DCF3695419F6AC40EE2C06B437B640106B538812A1D5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000280967Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:05:16.118{F81F30E6-D978-62DF-0100-000000006F02}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:513a:aaff:ea8e:f17win-dc-ctus-attack-range-502.attackrange.local65005-truefe80:0:0:0:513a:aaff:ea8e:f17win-dc-ctus-attack-range-502.attackrange.local445microsoft-ds 354300x8000000000000000280966Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:05:16.118{F81F30E6-D978-62DF-0100-000000006F02}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:513a:aaff:ea8e:f17win-dc-ctus-attack-range-502.attackrange.local65005-truefe80:0:0:0:513a:aaff:ea8e:f17win-dc-ctus-attack-range-502.attackrange.local445microsoft-ds 23542300x8000000000000000280965Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:05:18.082{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5B2903D971946E62CB26D5A6AE94BE8E,SHA256=D740608054E96BEDFE0E874686AE5E52AB031EBD71B9A737C864E47132624C65,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000280964Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:05:16.022{F81F30E6-D97A-62DF-0B00-000000006F02}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local65004-false10.0.1.14win-dc-ctus-attack-range-502.attackrange.local389ldap 354300x8000000000000000280963Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:05:16.022{F81F30E6-D97C-62DF-1500-000000006F02}1228C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local65004-false10.0.1.14win-dc-ctus-attack-range-502.attackrange.local389ldap 354300x8000000000000000280962Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:05:16.015{F81F30E6-D97A-62DF-0B00-000000006F02}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:513a:aaff:ea8e:f17win-dc-ctus-attack-range-502.attackrange.local65003-truefe80:0:0:0:513a:aaff:ea8e:f17win-dc-ctus-attack-range-502.attackrange.local389ldap 354300x8000000000000000280961Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:05:16.015{F81F30E6-D97C-62DF-1500-000000006F02}1228C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:513a:aaff:ea8e:f17win-dc-ctus-attack-range-502.attackrange.local65003-truefe80:0:0:0:513a:aaff:ea8e:f17win-dc-ctus-attack-range-502.attackrange.local389ldap 354300x800000000000000053924Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:05:16.176{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal51067-false10.0.1.12-8000- 23542300x8000000000000000280968Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:05:19.134{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A8179F2A02A86D96DB5CA90AFE61780,SHA256=92C2159F2A4AB4B4AD951FEC05D287B08E839FCE29E394B20091DFF6D2F067AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000280969Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:05:20.264{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CCB14F220BED4C736C2E09F0C9C8758F,SHA256=280B3706758CF942878F58062295650AA873C5AA294F680AF24D29EE89D61C40,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053926Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:05:20.011{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7B9B8F98BC5B5684F71EF7E237D1B17,SHA256=9A2156F9074D57BBFEE9E10DDA160175BC1C36781C444BB348EBAA611B5E95F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000280970Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:05:21.295{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA397C70C26EBA96FA27D17542C698AB,SHA256=A7A0C3C80656DFACC4977C153ED8B8D43DE3038D6558695E37A4788530C42C5D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053927Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:05:21.104{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F31523189261CF61623A45C36C029D75,SHA256=16ADCE0C79C32A3B6A69D31C2531A11F7B4F66583163526E96AEAB0E652E2DCF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000280972Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:05:22.312{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72F383DB909C0BD29C84D508B5003A4F,SHA256=E88FF63BF7CA3C957095B67B9D8E8F74392AB1367D69C1D41341711D788B1F65,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053928Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:05:22.198{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=982C8D633E12C6F975D16C9BBA0FB829,SHA256=1D84722E2C097DD34A4D2143EA52978C8E755AD383C17B854BC7840F7E93E754,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000280971Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:05:19.261{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local65006-false10.0.1.12-8000- 23542300x8000000000000000280973Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:05:23.463{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=562FA3A77BD87E4B5CCCA787EB473512,SHA256=6CEDF53574D2D010F20B06B200AB12937EC51C9F9141A207108F5D3E31CFC720,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053930Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:05:23.292{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E4AAEDD7BC250194B93F802F1F20AD9,SHA256=630497C87706A68D4247F89B07AB62F0D0D2865D3A6409D3B82F03E5799B0A6C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000053929Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:05:21.332{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal51068-false10.0.1.12-8000- 23542300x8000000000000000280974Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:05:24.593{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75BE11822EAE8C68293C6522EDF36C24,SHA256=A8B94DF608063577F38A451CF6260199DED377C899136CCF24D512D17EF247A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053931Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:05:24.386{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C8103B6896569549A3CA7DC61A227F1,SHA256=E5BAA789CFDDDB46EE3C6C12B11971F85C32960C79CFEFB9D77ADC6392F42E1A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000280975Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:05:25.645{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBF77F407C755F9FC55B8A0208902D66,SHA256=E0D6E0003C41B0C3916E578479DA5C77F127327B35346C853C85855A41C8EAE2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053932Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:05:25.479{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B38A1C62525DBA4643AC73FC7C10F13,SHA256=BBD62FC67B71371D705DF72C80EF8BA0F64C04B19D7C8DED2A8EB3B65DB5090F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053933Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:05:26.573{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=938C411712BEF748EE6CA58847F18395,SHA256=0B200BD00622F84539FD768E6079009C94C3FACA21458DE9F8687B0AF00687CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000280976Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:05:26.777{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2D7BFA99FDD96A3506AE6F7250C24EB,SHA256=77EB0D4F6A5C88AB6546BF34B733714D4BED0B1A24E958128B1416E283B6B5BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053935Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:05:27.667{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E646DC11B513A3B5943995795894B311,SHA256=AC2C30FD1112D71D07920B22D3A9A1304E6EC81AB75BE584F9ED1FAE6E190C43,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000280977Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:05:27.828{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F509FF905C7868ADA7280855CA16768,SHA256=CA827F4D89D23A0FAF544C6C9361E90998CC78340A884E863E261A23D55DFCFE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053934Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:05:27.232{53069400-D97D-62DF-1C00-000000007002}1896NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0923b0b66bc46ec04\channels\health\respondent-20220726120936-112MD5=F10909D358012860607A88999540BE61,SHA256=618099B8C52552D13629F748BAC7127C20F9D45615160D64360388A771E36D7B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000280980Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:05:28.990{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=265958B5A3ABA50CD7B2CD4C72EEA2B1,SHA256=8A5822BE9D4C8BC0D8F97209DFEE76453BA586D59B7D389CFA70ABE2556B8FBE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053938Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:05:28.761{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1709892B033E758ECB28C766310D94D,SHA256=894F1DCB5C491799F18B70A752A5BB201AFACBD63FC66FAAB364810A9FC4244F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000053937Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:05:27.082{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal51069-false10.0.1.12-8000- 23542300x800000000000000053936Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:05:28.231{53069400-D97D-62DF-1C00-000000007002}1896NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0923b0b66bc46ec04\channels\health\surveyor-20220726120934-113MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000280979Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:05:28.843{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9CA92F05C014FD467FFAF35EF4C217C0,SHA256=C12ECA9AB7A115A58F499ADF613160ACA9B0465CA645AA7B2E82F8109B0FD2F9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000280978Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:05:25.143{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local65007-false10.0.1.12-8000- 23542300x800000000000000053939Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:05:29.855{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C806096C029ABD19978240DE323FBCE9,SHA256=D3B85FED68F2E276E2C9CF61ACB83655EFA9D6DF5890153813DB77F3592CD15B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053940Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:05:30.948{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3E175E1759B966A42411F728B1B04A4,SHA256=A866E07E7B309062D2617BD0DAC00058678EBB0FA2C018485AC6DD99FFB05620,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000280981Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:05:30.026{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C38212F972EFEFB4F6E7C5EB76E6930,SHA256=309C5251ED48EC2D2319528D56AF5535A487EE91E6533831D4F17434B08338D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000280983Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:05:31.357{F81F30E6-D98A-62DF-2E00-000000006F02}2780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=BD3E32E7793C9087649065CD29ECD9F1,SHA256=DE8D0EF1778703BE88F6E62E62EC83AFE9EF791AE8A235E8A32BEF58AF1EFA3E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000280982Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:05:31.173{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60B2FC61D27F194931B4CFBB71522AEE,SHA256=6E2B66F66911DD887CD646098A140D72F8131FB720AF93BF9795359DFA135C1F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000281001Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:05:32.887{F81F30E6-D98B-62DF-3600-000000006F02}31323152C:\Windows\system32\conhost.exe{F81F30E6-F4AC-62DF-5F05-000000006F02}6736C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281000Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:05:32.887{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280999Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:05:32.887{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280998Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:05:32.887{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280997Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:05:32.887{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280996Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:05:32.887{F81F30E6-D97A-62DF-0500-000000006F02}412540C:\Windows\system32\csrss.exe{F81F30E6-F4AC-62DF-5F05-000000006F02}6736C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000280995Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:05:32.887{F81F30E6-D98A-62DF-2E00-000000006F02}27803956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F81F30E6-F4AC-62DF-5F05-000000006F02}6736C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000280994Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:05:32.888{F81F30E6-F4AC-62DF-5F05-000000006F02}6736C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F81F30E6-D97A-62DF-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000280993Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:05:32.456{F81F30E6-F4AC-62DF-5E05-000000006F02}112129132C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000280992Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:05:32.310{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7DD5B8604F0DFCF39BE394E1A05E81E,SHA256=3A5847216BA8AB70C336B1F1403DF0BFDC9A0879680756BD9A79E932EFE14C06,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000280991Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:05:32.225{F81F30E6-D98B-62DF-3600-000000006F02}31323152C:\Windows\system32\conhost.exe{F81F30E6-F4AC-62DF-5E05-000000006F02}11212C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280990Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:05:32.225{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280989Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:05:32.225{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280988Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:05:32.225{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280987Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:05:32.225{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280986Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:05:32.225{F81F30E6-D97A-62DF-0500-000000006F02}412428C:\Windows\system32\csrss.exe{F81F30E6-F4AC-62DF-5E05-000000006F02}11212C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000280985Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:05:32.225{F81F30E6-D98A-62DF-2E00-000000006F02}27803956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F81F30E6-F4AC-62DF-5E05-000000006F02}11212C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000280984Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:05:32.226{F81F30E6-F4AC-62DF-5E05-000000006F02}11212C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{F81F30E6-D97A-62DF-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000053941Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:05:32.042{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D95D60D2FBAD77F2E1223104B106F664,SHA256=D6A816DAA707EAF3CD5A927BDD6FDD4EFE3E9948723D037564B04E69BA744D57,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000281012Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:05:33.487{F81F30E6-D98B-62DF-3600-000000006F02}31323152C:\Windows\system32\conhost.exe{F81F30E6-F4AD-62DF-6005-000000006F02}9060C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281011Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:05:33.487{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281010Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:05:33.487{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281009Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:05:33.487{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281008Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:05:33.487{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281007Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:05:33.487{F81F30E6-D97A-62DF-0500-000000006F02}412540C:\Windows\system32\csrss.exe{F81F30E6-F4AD-62DF-6005-000000006F02}9060C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000281006Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:05:33.487{F81F30E6-D98A-62DF-2E00-000000006F02}27803956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F81F30E6-F4AD-62DF-6005-000000006F02}9060C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000281005Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:05:33.489{F81F30E6-F4AD-62DF-6005-000000006F02}9060C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F81F30E6-D97A-62DF-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000281004Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:05:30.201{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local65008-false10.0.1.12-8000- 23542300x8000000000000000281003Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:05:33.356{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62533A4F5C27C77D0F0A82FE250C625A,SHA256=3A769AEF152CC72A16B7197C2C1E3EB7D4BCE312E2540AC9FD36B54D36241F08,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000053943Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:05:32.270{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal51070-false10.0.1.12-8000- 23542300x800000000000000053942Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:05:33.136{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5268D76A577D3CA40832219BFA119F7B,SHA256=2EB3CACEB442D7A8EB8FF7BCC685AD5738E1F2F3174CFC71437544FE0A608DAA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000281002Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:05:33.073{F81F30E6-F4AC-62DF-5F05-000000006F02}67368648C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281032Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:05:34.855{F81F30E6-F4AE-62DF-6205-000000006F02}1043611256C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000281031Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:05:34.824{F81F30E6-D97C-62DF-1000-000000006F02}448NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=D7BB33D67D510114183B9924D898AA2B,SHA256=4C9E2A4BA34D0D1715292104193229850FE3753484B746BAE901E17AA8EFCFD7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000281030Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:05:34.670{F81F30E6-D98B-62DF-3600-000000006F02}31323152C:\Windows\system32\conhost.exe{F81F30E6-F4AE-62DF-6205-000000006F02}10436C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281029Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:05:34.670{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281028Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:05:34.670{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281027Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:05:34.670{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281026Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:05:34.670{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281025Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:05:34.670{F81F30E6-D97A-62DF-0500-000000006F02}412428C:\Windows\system32\csrss.exe{F81F30E6-F4AE-62DF-6205-000000006F02}10436C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000281024Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:05:34.670{F81F30E6-D98A-62DF-2E00-000000006F02}27803956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F81F30E6-F4AE-62DF-6205-000000006F02}10436C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000281023Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:05:34.672{F81F30E6-F4AE-62DF-6205-000000006F02}10436C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F81F30E6-D97A-62DF-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000281022Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:05:34.571{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6C9A0159F06EEFA1A4A3B270AB779BCC,SHA256=53D17FB92B0885E481F40408445356480524C239D2F2EECF4B4CDFC10C6EC9CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000281021Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:05:34.408{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=885810F775E7F5462B99753634713D96,SHA256=B3902CC236E9EBFF46146426540FD2517131E285DE30C19D9338A636279C0567,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053945Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:05:34.230{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2EB240D1593910D2AB198EE5A7FA1235,SHA256=CD682AF6F89352BA85048BAFD5AE212B44948DE5F0B2C4A867A42B2711D71265,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000281020Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:05:34.171{F81F30E6-D98B-62DF-3600-000000006F02}31323152C:\Windows\system32\conhost.exe{F81F30E6-F4AE-62DF-6105-000000006F02}10340C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281019Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:05:34.171{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281018Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:05:34.171{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281017Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:05:34.171{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281016Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:05:34.171{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281015Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:05:34.171{F81F30E6-D97A-62DF-0500-000000006F02}41292C:\Windows\system32\csrss.exe{F81F30E6-F4AE-62DF-6105-000000006F02}10340C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000281014Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:05:34.171{F81F30E6-D98A-62DF-2E00-000000006F02}27803956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F81F30E6-F4AE-62DF-6105-000000006F02}10340C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000281013Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:05:34.171{F81F30E6-F4AE-62DF-6105-000000006F02}10340C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F81F30E6-D97A-62DF-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000053944Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:05:34.073{53069400-D97D-62DF-1100-000000007002}980NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=0A5165F91B9664BD5BFD8AFD4E1A0EEA,SHA256=8CB9477DD625F98BF2813EC65F41F09A42E9D4F0A5E639FFED3EF8864FF01C9C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000281043Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:05:35.654{F81F30E6-D97C-62DF-0D00-000000006F02}9123628C:\Windows\system32\svchost.exe{F81F30E6-D97C-62DF-1500-000000006F02}1228C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281042Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:05:35.569{F81F30E6-F4AF-62DF-6305-000000006F02}93847968C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000281041Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:05:35.454{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D07C56950FA2D783DD1DB5456D3C412,SHA256=8013160F726A097070BCB7D3275EDFA6E05AF9E512DE02FB0B85839A7477AA20,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053946Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:05:35.323{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB89691ED0CC01D07E5AF50765DE30BB,SHA256=D17FCF7C62E013F2FD3DF3930494529847EB8560C9DA1EA318709C01887FCF0F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000281040Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:05:35.354{F81F30E6-D98B-62DF-3600-000000006F02}31323152C:\Windows\system32\conhost.exe{F81F30E6-F4AF-62DF-6305-000000006F02}9384C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281039Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:05:35.354{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281038Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:05:35.354{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281037Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:05:35.354{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281036Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:05:35.354{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281035Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:05:35.354{F81F30E6-D97A-62DF-0500-000000006F02}412428C:\Windows\system32\csrss.exe{F81F30E6-F4AF-62DF-6305-000000006F02}9384C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000281034Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:05:35.354{F81F30E6-D98A-62DF-2E00-000000006F02}27803956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F81F30E6-F4AF-62DF-6305-000000006F02}9384C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000281033Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:05:35.355{F81F30E6-F4AF-62DF-6305-000000006F02}9384C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F81F30E6-D97A-62DF-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000053947Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:05:36.417{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3020B54704472F383BB3C72B5243D60,SHA256=2D7BEAF7FFDB7BD151C44BD1388BE6EE80FE477830784A39DF60390383864044,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000281053Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:05:36.868{F81F30E6-DAB4-62DF-BF00-000000006F02}2464ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\e57grxtg.default-release\datareporting\glean\db\data.safe.binMD5=C5947A035084A808B731F1F0EAE97450,SHA256=CBF270C6D4F21CAECFA2CEC994196B28CD0DA5EAD780ED3113385942959D2DD7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000281052Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:05:36.484{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC72706A0C3F25F9FC2A9FD45B16F2D3,SHA256=A39D410F7E66BD228DA20F7A7432316D0B92C8C3FA2EF87B9EBDEFC7D6D06D33,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000281051Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:05:36.022{F81F30E6-D98B-62DF-3600-000000006F02}31323152C:\Windows\system32\conhost.exe{F81F30E6-F4B0-62DF-6405-000000006F02}9608C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281050Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:05:36.022{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281049Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:05:36.022{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281048Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:05:36.022{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281047Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:05:36.022{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281046Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:05:36.022{F81F30E6-D97A-62DF-0500-000000006F02}412428C:\Windows\system32\csrss.exe{F81F30E6-F4B0-62DF-6405-000000006F02}9608C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000281045Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:05:36.022{F81F30E6-D98A-62DF-2E00-000000006F02}27803956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F81F30E6-F4B0-62DF-6405-000000006F02}9608C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000281044Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:05:36.023{F81F30E6-F4B0-62DF-6405-000000006F02}9608C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F81F30E6-D97A-62DF-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000053948Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:05:37.511{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4A2CDE8ADD206ED24E8349F98F6EB7A,SHA256=60C6EE02A0EB8E84B069342743BAA8AD9F77D040C383F76E504F695920A55FF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000281054Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:05:37.621{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9D903A41D7270B77DF539FB2115042E,SHA256=C03498D55F69E29A773D06DBE909C7F27C118E968C65F533FCD278FBDAF1A8D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053949Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:05:38.605{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E30BD3BF8F35D58ABF03D5EA2244E2D,SHA256=E66C4FC76FB6A5B8D93921E39D6ADFA288CEC772C862586759D47562FF4A2B4B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000281055Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:05:38.651{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22141DD59303478303A4C8942E1E54D5,SHA256=1DE82FEAC40C72FB4858231B177725780AA0A20F08699DF337B8B5EC8EA5EB81,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000053951Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:05:38.098{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal51071-false10.0.1.12-8000- 23542300x800000000000000053950Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:05:39.698{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE7C6BC74100AB5B62963E4FABB9EB45,SHA256=640836B48815C6AFE300C5B33D23EC1AA7EB8F6F35F0850E040E602C5A5274D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000281057Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:05:39.668{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A626B1F08057844B02A3A25561622214,SHA256=8B076CBF7D5F3E995322343B70378C53ADBC1B58456F101E45F4848987DAD6BD,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000281056Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:05:36.250{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local65009-false10.0.1.12-8000- 23542300x8000000000000000281058Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:05:40.699{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0097507944F7F8888A4ABE4CD017CDE2,SHA256=490AFBB2159A50FFC5424CB55C2F040FD545C152B70C3F11FD6A2A3ED5D2F214,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053952Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:05:40.792{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A5E5957945E730A2D092674B21C8B41,SHA256=9D6DFA9219567035C84DE249963C434620FA5848FBA0C87EED66708192F80853,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053953Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:05:41.886{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38F9B838F8CFA2CE0EE0CF146FDB124F,SHA256=45C9EE632CC2F27D2806A9B139785FBD2941D5C029F119F1878A5FFF34469302,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000281060Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:05:41.806{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A0EBC35FD05428A4461356777B20DCD,SHA256=4C9D0032C087FBE6FD424F1F897F86913AA02AA708798C063B8BD145DD63BE54,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000281059Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:05:41.545{F81F30E6-D98A-62DF-2900-000000006F02}2592NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f0cc84e036a5373b\channels\health\respondent-20220726120948-112MD5=369DD308E953FB115558C25A87FA7436,SHA256=F8D888C61BEF90997E9DA9024DED7AC04FA2757575784335A529296D09245F18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000281062Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:05:42.856{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0530C1CD7BD1CBF20FDB6CF297159452,SHA256=C05C999DBD4665A585DAEAA342A7A84D52D2DBE3451A104A9A4B8AB32F27BD46,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053954Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:05:42.980{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EFD957608FB52E29C0979DBAEAA26C2A,SHA256=1CBDD3807BDEE2908C919E1F1D2E258613C03C1E81BF0E36C3E4B21C51AF101B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000281061Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:05:42.558{F81F30E6-D98A-62DF-2900-000000006F02}2592NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f0cc84e036a5373b\channels\health\surveyor-20220726120946-113MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000281063Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:05:41.254{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local65010-false10.0.1.12-8000- 23542300x8000000000000000281064Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:05:44.070{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=348D0C70A636F028484FEA084093B2B9,SHA256=7E1119ACF6FA0DFA2C72A954918D963BE72B13D4BADDC2DD0F68206F34030BED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053955Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:05:44.073{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CBD81883B6EB0D28883D1DB7FC72FFE6,SHA256=3969C7E6971BD92F1E8096BC6A0E10CFDDB95C24AE54271BAA91904304A07407,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053957Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:05:45.167{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31FA4A0670ED01DF57025236B0BE1212,SHA256=44080D16998E233AF2F776B5CBCE02FA7733FE5161AC1C7ED4A641903298F098,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000281065Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:05:45.202{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8582178729F156D8EA5D06ACBBD39BE,SHA256=454918708287754F40062792470F44140F3401CFC5F43B27278363D0B6A898BC,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000053956Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:05:43.270{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal51072-false10.0.1.12-8000- 23542300x800000000000000053959Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:05:46.261{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB2BD11D4BE14441DB97D12882A4D004,SHA256=E0550171351BC73451720087B29FD7087D930484E471471D4BBE79B239F13237,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000281066Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:05:46.238{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=086D50ACCBBCD729F270DD284BD16AB8,SHA256=6E2D0B88FBCB27DCD591EFEE2E74140B10F87B0724F9980828930A40B8D3F098,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053958Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:05:46.089{53069400-D97D-62DF-1E00-000000007002}1940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=179B82772CA5CC0B7A1E30B10EC3DA68,SHA256=BB39CA45713EEF29F8964A50A9025571F90083A2F6169622A7CAAB4EAC5409CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053961Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:05:47.355{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC7375369692E170FD9A7B54658AD39B,SHA256=6F723D347C5186F894A4BA9F21645349BA8D09A9C8EF179D12520F76D89F646C,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000281072Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-SetValue2022-07-26 14:05:47.805{F81F30E6-D98A-62DF-2A00-000000006F02}2640C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\AA1F4EAC-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_AA1F4EAC-0000-0000-0000-100000000000.XML 13241300x8000000000000000281071Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-SetValue2022-07-26 14:05:47.805{F81F30E6-D98A-62DF-2A00-000000006F02}2640C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\EDB59A4A-4A6E-4084-9A54-2EC7F36D7D11\Config SourceDWORD (0x00000001) 13241300x8000000000000000281070Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-SetValue2022-07-26 14:05:47.805{F81F30E6-D98A-62DF-2A00-000000006F02}2640C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\EDB59A4A-4A6E-4084-9A54-2EC7F36D7D11\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_EDB59A4A-4A6E-4084-9A54-2EC7F36D7D11.XML 10341000x8000000000000000281069Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:05:47.802{F81F30E6-D97A-62DF-0B00-000000006F02}6406704C:\Windows\system32\lsass.exe{F81F30E6-D98A-62DF-2A00-000000006F02}2640C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ee3c|C:\Windows\system32\lsasrv.dll+e76d4|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281068Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:05:47.802{F81F30E6-D97A-62DF-0B00-000000006F02}6406704C:\Windows\system32\lsass.exe{F81F30E6-D98A-62DF-2A00-000000006F02}2640C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ee3c|C:\Windows\system32\lsasrv.dll+e76d4|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000281067Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:05:47.284{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29C072707D1121046A01588C74F6F94F,SHA256=31EEE3AF52778A3F7B3983788C11266F4F8AA6CDBC62AB6BCA41B48F51F828C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053960Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:05:47.323{53069400-D97D-62DF-1E00-000000007002}1940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=28793CA0137AC2915B83C41C9660D750,SHA256=40AB6E565EDACDBCA3E07D35F83F88A68BDE217A5A68F057F691785A80AE0FC4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053963Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:05:48.448{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05ECDE28F9F994C510CC63197F3FF83A,SHA256=74EF6A30AF5D43A2E4697DADAE1E458366A4B9EBD64EC061DE1E95B31465FA82,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000281076Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:05:48.651{F81F30E6-D97A-62DF-0B00-000000006F02}6407868C:\Windows\system32\lsass.exe{F81F30E6-D98A-62DF-2A00-000000006F02}2640C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ee3c|C:\Windows\system32\lsasrv.dll+e76d4|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281075Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:05:48.651{F81F30E6-D97A-62DF-0B00-000000006F02}6407868C:\Windows\system32\lsass.exe{F81F30E6-D98A-62DF-2A00-000000006F02}2640C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ee3c|C:\Windows\system32\lsasrv.dll+e76d4|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281074Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:05:48.651{F81F30E6-D97A-62DF-0B00-000000006F02}6407868C:\Windows\system32\lsass.exe{F81F30E6-D98A-62DF-2A00-000000006F02}2640C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ee3c|C:\Windows\system32\lsasrv.dll+e76d4|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000281073Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:05:48.320{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F4EE1D5E0860C74089F94D8E7DFAFB5,SHA256=582889BFF4C7D65BDE0547482007813359FB1888D1EEEBE38DABF12DDEA3EBFC,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000053962Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:05:46.145{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal51073-false10.0.1.12-8089- 23542300x800000000000000053964Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:05:49.542{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7653340BAE06D09D85510B389279E72F,SHA256=088FFA645D1CD4DF8CFC2C87730260411F86C03F393DB1781D66F49C9E79F5AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000281089Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:05:49.719{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8354F94C3770AE7DAE363BE5FCBFE756,SHA256=C58381F36BFBF4E0CC45F92C9F2CBD2BD5A15A9407A930E6568BBCCA7856F6D4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000281088Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:05:47.096{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local65012-false10.0.1.12-8000- 354300x8000000000000000281087Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:05:46.835{F81F30E6-D98A-62DF-2D00-000000006F02}2676C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local60051- 354300x8000000000000000281086Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:05:46.834{F81F30E6-D98A-62DF-2D00-000000006F02}2676C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local56740- 354300x8000000000000000281085Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:05:46.815{F81F30E6-D97C-62DF-0D00-000000006F02}912C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:513a:aaff:ea8e:f17win-dc-ctus-attack-range-502.attackrange.local65011-truefe80:0:0:0:513a:aaff:ea8e:f17win-dc-ctus-attack-range-502.attackrange.local135epmap 354300x8000000000000000281084Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:05:46.815{F81F30E6-D98A-62DF-2A00-000000006F02}2640C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:513a:aaff:ea8e:f17win-dc-ctus-attack-range-502.attackrange.local65011-truefe80:0:0:0:513a:aaff:ea8e:f17win-dc-ctus-attack-range-502.attackrange.local135epmap 10341000x8000000000000000281083Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:05:49.666{F81F30E6-D97A-62DF-0B00-000000006F02}6406704C:\Windows\system32\lsass.exe{F81F30E6-D98A-62DF-2A00-000000006F02}2640C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ee3c|C:\Windows\system32\lsasrv.dll+e76d4|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281082Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:05:49.666{F81F30E6-D97A-62DF-0B00-000000006F02}6406704C:\Windows\system32\lsass.exe{F81F30E6-D98A-62DF-2A00-000000006F02}2640C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ee3c|C:\Windows\system32\lsasrv.dll+e76d4|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281081Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:05:49.482{F81F30E6-D97A-62DF-0B00-000000006F02}640844C:\Windows\system32\lsass.exe{F81F30E6-D98A-62DF-2A00-000000006F02}2640C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ee3c|C:\Windows\system32\lsasrv.dll+e76d4|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281080Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:05:49.482{F81F30E6-D97A-62DF-0B00-000000006F02}640844C:\Windows\system32\lsass.exe{F81F30E6-D98A-62DF-2A00-000000006F02}2640C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ee3c|C:\Windows\system32\lsasrv.dll+e76d4|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281079Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:05:49.482{F81F30E6-D97A-62DF-0B00-000000006F02}640844C:\Windows\system32\lsass.exe{F81F30E6-D98A-62DF-2A00-000000006F02}2640C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ee3c|C:\Windows\system32\lsasrv.dll+e76d4|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000281078Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:05:49.450{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FAF15501B4E490B895BF8EAB3B4DCBB4,SHA256=754F051736432621B1FB05AEEAC7221AAF5A5C24976ABC61FB3F37D2EBE9828B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000281077Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:05:49.066{F81F30E6-D98A-62DF-2E00-000000006F02}2780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=375770933B088FA1013E9C17F7ACFA9C,SHA256=12DC730ED0C3CEF15E2072F184E79ED116E6C7FEA32581084F03B1ADA228E22B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053965Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:05:50.636{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8478BEA2371D349ED4DF36E46513622F,SHA256=5B74537324A8901D69362AFCD3D8486F47B957FDC96A6204E7C96D9047D4E81F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000281096Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:05:48.494{F81F30E6-D97A-62DF-0B00-000000006F02}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local65015-false10.0.1.14win-dc-ctus-attack-range-502.attackrange.local389ldap 354300x8000000000000000281095Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:05:48.494{F81F30E6-D98A-62DF-2A00-000000006F02}2640C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local65015-false10.0.1.14win-dc-ctus-attack-range-502.attackrange.local389ldap 354300x8000000000000000281094Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:05:48.064{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local65014-false10.0.1.12-8089- 354300x8000000000000000281093Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:05:47.672{F81F30E6-D98A-62DF-2D00-000000006F02}2676C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local57447- 354300x8000000000000000281092Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:05:47.664{F81F30E6-D97A-62DF-0B00-000000006F02}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local65013-false10.0.1.14win-dc-ctus-attack-range-502.attackrange.local389ldap 354300x8000000000000000281091Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:05:47.664{F81F30E6-D98A-62DF-2A00-000000006F02}2640C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local65013-false10.0.1.14win-dc-ctus-attack-range-502.attackrange.local389ldap 23542300x8000000000000000281090Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:05:50.581{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A86937CD6482027A5DCC0F9F611352F,SHA256=DC770541616B3E0C13FE88210FB6BFD4BCB84A11990B1B70D2A5221206969A5A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053967Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:05:51.730{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01270D78E6EEC2C10B85BE0E1EE4A4B1,SHA256=77D9D82B341A523CE55E1FE2DC5EA1D850531FB9880E881E5ADC77A172D6C7D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000281097Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:05:51.718{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5F89A187E1089EF83D4A0900A44A909,SHA256=CC0B96E243CE4C7BFB027CEC2149D6AC2ED6B4E12CB6DA2308E214564454216F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000053966Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:05:49.239{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal51074-false10.0.1.12-8000- 23542300x8000000000000000281098Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:05:52.834{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=378C3791E84A1E0D5216357D50DFA8FB,SHA256=B9F67CBEE865EA6E102DBACC4767DC2D9633A7CA07D8F256CF386D0C6A5F65C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053968Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:05:52.823{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61B86C2B93EECCB39F13C8C33998F40C,SHA256=8CB8400394840B68AE43045A9365CC675A9E34439FC05D79D2D12EC87B54B319,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000281099Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:05:53.880{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9DCD0D3500B9A2835D1101275838BAB,SHA256=23845EDB71332012666F05D56B266607970ECD8951FCB2C7E444C8ECBF7D7CB2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053969Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:05:53.917{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=855775B7E6BBBA1488EB6C2E4B478F8C,SHA256=13BFBCCAD11E78D54AF89F65725B83D9003F37642FD9B0FE6B8EEB92D6FEA1C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000281101Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:05:54.917{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BBB35EAA292749FE6035AD57EB323702,SHA256=1D868E5CB125787895E415827D2E89AE398EB0EBB5544DF1AB70F637136AD49C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000281100Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:05:52.147{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local65016-false10.0.1.12-8000- 23542300x8000000000000000281102Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:05:55.962{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD4DCA6998F03F779B59B1D68AB84A0D,SHA256=80747E59B0EE301B4B8E3BB53ED9310A1BF8353E2D7106DC70347AB5316FBCD0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053970Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:05:55.011{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56CF6DB3C6CFF544456B3DFF68D96E17,SHA256=290B2113C9361D96294C790CB0BACBA9B3025B2149F330D8B35C6E02F3CB27FD,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000053972Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:05:55.238{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal51075-false10.0.1.12-8000- 23542300x800000000000000053971Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:05:56.105{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=772A717F6E1CEB874B646049BC327E54,SHA256=4494E42310AEECCC6D0814197121F8E9BF57B5D46E2E2B7F9FD3DAA9743EA890,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000281105Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:05:56.446{F81F30E6-D9BD-62DF-9000-000000006F02}46884812C:\Windows\Explorer.EXE{F81F30E6-DAB4-62DF-BF00-000000006F02}2464C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+cf100|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9824|UNKNOWN(FFFFF80163E5BCD8)|UNKNOWN(FFFFF2A666167E08)|UNKNOWN(FFFFF2A666167F87)|UNKNOWN(FFFFF2A666162611)|UNKNOWN(FFFFF2A666163FDA)|UNKNOWN(FFFFF2A666162296)|UNKNOWN(FFFFF80163B71503)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+d296b|C:\Windows\System32\SHELL32.dll+11971a|C:\Windows\System32\SHCORE.dll+33fbd 10341000x8000000000000000281104Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:05:56.446{F81F30E6-D9BD-62DF-9000-000000006F02}46884812C:\Windows\Explorer.EXE{F81F30E6-DAB4-62DF-BF00-000000006F02}2464C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0f5|C:\Windows\System32\SHELL32.dll+cebe1|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9824|UNKNOWN(FFFFF80163E5BCD8)|UNKNOWN(FFFFF2A666167E08)|UNKNOWN(FFFFF2A666167F87)|UNKNOWN(FFFFF2A666162611)|UNKNOWN(FFFFF2A666163FDA)|UNKNOWN(FFFFF2A666162296)|UNKNOWN(FFFFF80163B71503)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+d296b|C:\Windows\System32\SHELL32.dll+11971a|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000281103Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:05:56.446{F81F30E6-DAB4-62DF-BF00-000000006F02}2464ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RF6aa18b.TMPMD5=916C2D93B58C5CBAC8AC3098A059BFC5,SHA256=55953AB8F4BC753693EBC3ACF5A7C00D704055829032829763C3617710DD9C9E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053973Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:05:57.198{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B14EF44D1283C2C707D24FC7C6377B1,SHA256=AAB16D3A30FFA0F2C93BB16390BC62BF161F415F2F921C247C7139ACB9060C68,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000281108Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:05:57.401{F81F30E6-DAB4-62DF-BF00-000000006F02}24643744C:\Program Files\Mozilla Firefox\firefox.exe{F81F30E6-EEA4-62DF-BF03-000000006F02}6544C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+267f0|C:\Program Files\Mozilla Firefox\xul.dll+e65274|C:\Program Files\Mozilla Firefox\xul.dll+e65b59|C:\Program Files\Mozilla Firefox\xul.dll+e65e38|C:\Program Files\Mozilla Firefox\xul.dll+11f018b|C:\Program Files\Mozilla Firefox\xul.dll+e627c7|C:\Program Files\Mozilla Firefox\xul.dll+120a85d|C:\Program Files\Mozilla Firefox\xul.dll+ceede|C:\Program Files\Mozilla Firefox\xul.dll+c395d4|C:\Program Files\Mozilla Firefox\xul.dll+c3930b|C:\Program Files\Mozilla Firefox\xul.dll+1871229|C:\Program Files\Mozilla Firefox\xul.dll+183f230|C:\Program Files\Mozilla Firefox\xul.dll+1c23afe|C:\Program Files\Mozilla Firefox\xul.dll+1d7f4a3|C:\Program Files\Mozilla Firefox\xul.dll+183f6cf|C:\Program Files\Mozilla Firefox\xul.dll+1c23afe|C:\Program Files\Mozilla Firefox\xul.dll+1d7f4a3|C:\Program Files\Mozilla Firefox\xul.dll+183ce1d|C:\Program Files\Mozilla Firefox\xul.dll+1907bb7|C:\Program Files\Mozilla Firefox\xul.dll+1ae0b0f|C:\Program Files\Mozilla Firefox\xul.dll+1ad8cb3|C:\Program Files\Mozilla Firefox\xul.dll+18163f3 10341000x8000000000000000281107Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:05:57.395{F81F30E6-D97C-62DF-0D00-000000006F02}9123628C:\Windows\system32\svchost.exe{F81F30E6-DAB4-62DF-BF00-000000006F02}2464C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000281106Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:05:57.001{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2DED9BB4CD531FBFA51A2B8CEBEA55E3,SHA256=1EC7B6A86CBDD3F4ED7322EBBB042047A9A6FCF39B882C5A2C09A49D6BD042D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053974Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:05:58.292{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2258B87966B536B2E3B7D473A10B36D,SHA256=740CDF12909F9EC8632FC7DA52D711CC4B53E3202F74EC470EC74412042058EC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000281118Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:05:58.951{F81F30E6-DAB4-62DF-BF00-000000006F02}24643744C:\Program Files\Mozilla Firefox\firefox.exe{F81F30E6-EEA4-62DF-BF03-000000006F02}6544C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+267f0|C:\Program Files\Mozilla Firefox\xul.dll+e65274|C:\Program Files\Mozilla Firefox\xul.dll+e65767|C:\Program Files\Mozilla Firefox\xul.dll+85d545|C:\Program Files\Mozilla Firefox\xul.dll+8514da|C:\Program Files\Mozilla Firefox\xul.dll+1a006b3|C:\Program Files\Mozilla Firefox\xul.dll+17686da|C:\Program Files\Mozilla Firefox\xul.dll+1a277f4|C:\Program Files\Mozilla Firefox\xul.dll+9d832f|C:\Program Files\Mozilla Firefox\xul.dll+1f89e|C:\Program Files\Mozilla Firefox\xul.dll+186308|C:\Program Files\Mozilla Firefox\xul.dll+1852af|C:\Program Files\Mozilla Firefox\xul.dll+4446001|C:\Program Files\Mozilla Firefox\xul.dll+44b10b2|C:\Program Files\Mozilla Firefox\xul.dll+44b1edc|C:\Program Files\Mozilla Firefox\xul.dll+1f2e2a3|C:\Program Files\Mozilla Firefox\firefox.exe+19b7e|C:\Program Files\Mozilla Firefox\firefox.exe+27a48|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281117Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:05:58.935{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-F3CD-62DF-B904-000000006F02}8068C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281116Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:05:58.920{F81F30E6-D9BD-62DF-9000-000000006F02}46887284C:\Windows\Explorer.EXE{F81F30E6-F3CD-62DF-B904-000000006F02}8068C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281115Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:05:58.920{F81F30E6-D9BD-62DF-9000-000000006F02}46887284C:\Windows\Explorer.EXE{F81F30E6-F3CD-62DF-B904-000000006F02}8068C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281114Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:05:58.920{F81F30E6-D9BD-62DF-9000-000000006F02}46887284C:\Windows\Explorer.EXE{F81F30E6-F3CD-62DF-B904-000000006F02}8068C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281113Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:05:58.920{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CD-62DF-BA04-000000006F02}4748C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281112Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:05:58.920{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CD-62DF-BA04-000000006F02}4748C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281111Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:05:58.904{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CD-62DF-BA04-000000006F02}4748C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281110Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:05:58.904{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CD-62DF-BA04-000000006F02}4748C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000281109Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:05:58.019{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC3080C64661622226AD94CF6547C517,SHA256=E9136395202A242C99885983F30E86D8B4A0C7CE0DB0EDE824D001B056351E70,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053975Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:05:59.386{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04B222F474165E1A635503D61B9EB976,SHA256=D6AAD97DBB4103C7933C87DD15220855677680A0EA920BA4C69D3C9AD15D2C16,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000281120Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:05:57.178{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local65017-false10.0.1.12-8000- 23542300x8000000000000000281119Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:05:59.135{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0753FE7E1ACBA61C7191B282EE3889BD,SHA256=3A6FCF1B85292EC62C1AB959564A8A07A9197D34B00020149278758CDA09E060,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053976Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:06:00.480{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C6356502193B100D580909F441F3EEF,SHA256=D2195D4D76E6833859D6FCE21C789498962E8AA2794149769A3C98700D4948B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000281121Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:06:00.299{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2774BD011685606A90FB3E9879773389,SHA256=C132ADFC0A45ECAA5580D96978E466A4C52FE6F4888CFE299638C796864DAD51,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053977Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:06:01.573{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA102C7E0CC3F5E0879B0DDFF6FD9695,SHA256=6333F476EFE3E881E86927BE1B561B00B931250BC9C4F07BA049C2569CE4317F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000281123Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:06:01.663{F81F30E6-D98A-62DF-2E00-000000006F02}2780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=8A21C8E5D83EDEA3EAA730A6EE080C17,SHA256=125E6080DE34691808E02800FCD82211A8A031AE5F480A608653B542148303AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000281122Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:06:01.448{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85347B7F6CE2F60D45C9585653098CD0,SHA256=85F27B1A8EA6DF945E007949BA2155EB8C08744F736B960286094359FD577074,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053979Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:06:02.667{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5AD7C04A71589C7A95910B3FC26E0370,SHA256=6A5E08151830A3FB62437DA8612570A59EE4D523DB1A84BCEA6C6DC7ECD7AC3E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000053978Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:06:01.301{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal51076-false10.0.1.12-8000- 23542300x8000000000000000281124Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:06:02.478{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3341D51664C07C890CC2B17F3517EBAA,SHA256=4F126E172D680EAAE384B9228BE1CFAB70E173B9E38F59CCCBAC306672131B25,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053980Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:06:03.870{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56956E76EE3E975CA9763E7E3025F338,SHA256=1C671C83EE2A582BE3845510A5D46984C417A239095E0E681A706F63716A2216,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000281128Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:06:01.745{F81F30E6-D97A-62DF-0B00-000000006F02}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local65018-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local389ldap 354300x8000000000000000281127Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:06:01.745{F81F30E6-D98A-62DF-2600-000000006F02}2568C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local65018-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local389ldap 23542300x8000000000000000281126Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:06:03.839{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C30A5A14D447C8FB7E9BEFE699CE70EF,SHA256=34006018929FBBB475D2FEDDC48A4B7432FD692704B3D3617E0DF71B5BDCB4B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000281125Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:06:03.584{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61085E63F6DB07476E2F796CB48088C7,SHA256=09ED5F034B8CB499ADD1D132A1C88766CCAA05AEBD813ACF00CB0D0C89DEA8E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053981Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:06:04.964{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5ED620B0D4E568DF80970B20B93F2F24,SHA256=28B65492C762EC28C675AE9F91052332CA9A0343657A60B091B527A7C779C59E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000281130Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:06:02.214{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local65019-false10.0.1.12-8000- 23542300x8000000000000000281129Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:06:04.703{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7479BC1479B11F6259991F532579233E,SHA256=40DC4BB931EAD95938AFF79220759CABF8D926B4C845648C87B6882D80CBEA9C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000281132Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:06:05.837{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B91B98870F8440153D9CA8F9E1C70F0B,SHA256=8D9D78C1CE32E5D204D48B90FF6AB235FA424B2E23E9D82D5793E87D289032DC,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000281131Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-SetValue2022-07-26 14:06:05.800{F81F30E6-D97C-62DF-1100-000000006F02}440C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d8a0f8-0xd8db1eff) 23542300x8000000000000000281133Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:06:06.852{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA3642FDDE8930D27E11F92C0091BD75,SHA256=C981A28B84970CB23C1783ACA8840F1CE32D21B4DBBB5F0C10EFC5E95A2E5587,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053982Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:06:06.058{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8FE4E91E82C9A144DC1A3CAD3E427E36,SHA256=F02AB2543E1873A16369426985884200937061DC9994EF8C75F2B5B09023C51E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000281135Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:06:07.900{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6E89246072BE5C4C6B408E049340482,SHA256=3699B5CCC1C08E80271202E5DFD53FECF4AE21F87D263BA167B992C1D0F5C5C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053983Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:06:07.151{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4F4E03AC60188EAF74D19313B8C3C5F,SHA256=5DD530A1C83BE24065D7B657282F2B80955B48DEFEDB8A9A8090337E51A2FA7F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000281134Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:06:07.500{F81F30E6-DAB4-62DF-BF00-000000006F02}2464ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\e57grxtg.default-release\datareporting\glean\db\data.safe.binMD5=F832C86EE3E6F2A7BA57DB5C822DCD09,SHA256=30127E87DA9B59BCB29A83C2157F704F2CFA84FE07B7ADEFCA69460B97F0B9C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000281137Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:06:08.935{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC2E2B3CCB48EB9466E629FDD4F759AB,SHA256=9C21CE06837F38132FF35CDA5F97AA66C79302F3108C67BEDFACAFEDC8A3E69E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000053985Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:06:07.129{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal51077-false10.0.1.12-8000- 23542300x800000000000000053984Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:06:08.245{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0555345D1823E3EBF589B2248DFD10E9,SHA256=207468D536B0E8B9096AA4E8816111EC42AB4378FE16C7309A9BEC0A92D8071A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000281136Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:06:04.765{F81F30E6-D97C-62DF-1100-000000006F02}440C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local123ntpfalse168.61.215.74-123ntp 23542300x8000000000000000281138Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:06:09.980{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36B6E813109D35A52456675439AE6CBD,SHA256=AA0007B31E3D417744C3B6C80D141E71F2B5F9816B27E0B1320277D9FED99EA0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053986Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:06:09.339{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C23FB70C032F2DF24ED14957F35A4009,SHA256=2BF12BC7C913F255F0AB6AD2BBD811904302D236BB3E7C72E42DDCA71CCEB5B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053987Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:06:10.433{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85B899DB4F076A96F7712B96771367EC,SHA256=CE23ECE8BE67B8E6F6781D950CA406A3AD6120DAB28DC4D95952CB1E0E080CDC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053988Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:06:11.526{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BFC62BB6E519D8C6EEBA4707338C275,SHA256=795D327DF73F6820EECC32718A04890A29AD11D44A74AA0ECBBDE8A3C2FEC061,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000281140Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:06:08.163{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local65020-false10.0.1.12-8000- 23542300x8000000000000000281139Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:06:11.033{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D097EDF78324F63B0A1471DFDEF9597,SHA256=4369E0B90252BE27F7878AB548B3EADC51CFEFCE1B44341DB35DEA603C48ABD7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000054017Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:06:12.995{53069400-F4D4-62DF-AA03-000000007002}39561916C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054016Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:06:12.808{53069400-D97E-62DF-2900-000000007002}27802800C:\Windows\system32\conhost.exe{53069400-F4D4-62DF-AA03-000000007002}3956C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054015Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:06:12.808{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054014Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:06:12.808{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054013Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:06:12.808{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054012Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:06:12.808{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054011Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:06:12.808{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054010Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:06:12.808{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054009Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:06:12.808{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054008Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:06:12.808{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054007Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:06:12.808{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054006Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:06:12.808{53069400-D97C-62DF-0500-000000007002}412428C:\Windows\system32\csrss.exe{53069400-F4D4-62DF-AA03-000000007002}3956C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000054005Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:06:12.808{53069400-D97D-62DF-1E00-000000007002}19402768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53069400-F4D4-62DF-AA03-000000007002}3956C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000054004Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:06:12.809{53069400-F4D4-62DF-AA03-000000007002}3956C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53069400-D97C-62DF-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000054003Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:06:12.620{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4D2D1527D74D93514B94AB79270245C,SHA256=1662212C76554FEEF27BF9B70E0AA4FA9D87EEC84EB5D1E7CBE688B9E13EE01C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000281142Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:06:12.516{F81F30E6-DAB4-62DF-BF00-000000006F02}2464ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\e57grxtg.default-release\datareporting\glean\db\data.safe.binMD5=E46C72BBF7B08CA73BACBA11F8FDC3BD,SHA256=0CBA8E7F3FF588CDABC1FE5EF28D31FAA3DDAD42AD29E085BA4D242C1D1C0946,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000281141Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:06:12.196{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1FF111105C0E6D42EEDB36A6600D9ADF,SHA256=08ABBE6FD89B0F37235489F30153D462E77F478A19B002211558DFFC6332E6E0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000054002Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:06:12.433{53069400-F4D4-62DF-A903-000000007002}12721988C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054001Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:06:12.230{53069400-D97E-62DF-2900-000000007002}27802800C:\Windows\system32\conhost.exe{53069400-F4D4-62DF-A903-000000007002}1272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054000Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:06:12.230{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053999Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:06:12.230{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053998Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:06:12.230{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053997Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:06:12.230{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053996Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:06:12.230{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053995Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:06:12.230{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053994Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:06:12.230{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053993Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:06:12.230{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053992Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:06:12.230{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053991Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:06:12.230{53069400-D97C-62DF-0500-000000007002}412540C:\Windows\system32\csrss.exe{53069400-F4D4-62DF-A903-000000007002}1272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000053990Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:06:12.230{53069400-D97D-62DF-1E00-000000007002}19402768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53069400-F4D4-62DF-A903-000000007002}1272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000053989Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:06:12.230{53069400-F4D4-62DF-A903-000000007002}1272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53069400-D97C-62DF-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000054033Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:06:12.332{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal51078-false10.0.1.12-8000- 23542300x800000000000000054032Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:06:13.792{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53D006D116F80DF042FD3E819732609C,SHA256=2B829A8BBEA75EF88304F5C5527A6F9B0E61E4CEDE3065CE0912A7DCB1551FC4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000281143Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:06:13.346{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=668C215EE027C7FF7E75B7852DBDCEB3,SHA256=05AB790846386AEB412245F02D957CB114C18E25E01CF6A99B2B4C6817FBFC2C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000054031Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:06:13.433{53069400-D97E-62DF-2900-000000007002}27802800C:\Windows\system32\conhost.exe{53069400-F4D5-62DF-AB03-000000007002}820C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054030Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:06:13.433{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054029Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:06:13.433{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054028Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:06:13.433{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054027Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:06:13.433{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054026Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:06:13.433{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054025Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:06:13.433{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054024Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:06:13.433{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054023Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:06:13.433{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054022Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:06:13.433{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054021Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:06:13.433{53069400-D97C-62DF-0500-000000007002}4121248C:\Windows\system32\csrss.exe{53069400-F4D5-62DF-AB03-000000007002}820C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000054020Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:06:13.433{53069400-D97D-62DF-1E00-000000007002}19402768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53069400-F4D5-62DF-AB03-000000007002}820C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000054019Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:06:13.434{53069400-F4D5-62DF-AB03-000000007002}820C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53069400-D97C-62DF-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000054018Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:06:13.417{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=26A1F50B5070F205BB33A2AAF244C19E,SHA256=0724207527B3C2F539B245E17B1BC6C84E014C643BFD779CD8577095C187905F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054061Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:06:14.933{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88675FEA4F87F101B53BE88B23FF9DDA,SHA256=22C8E4FBAD8BE12B0393CEBFF6CAA62F86C26141488457E402E4F4B6EF48D20F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000281144Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:06:14.449{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2CFC29169F9E0659DD6674895AB4BA9,SHA256=8E314E462AD87CE7F722CF19C7086FFD9DF3697F82021180EA8DD5B4179060CA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000054060Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:06:14.776{53069400-D97E-62DF-2900-000000007002}27802800C:\Windows\system32\conhost.exe{53069400-F4D6-62DF-AD03-000000007002}976C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054059Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:06:14.776{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054058Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:06:14.776{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054057Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:06:14.776{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054056Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:06:14.776{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054055Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:06:14.776{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054054Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:06:14.776{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054053Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:06:14.776{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054052Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:06:14.776{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054051Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:06:14.776{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054050Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:06:14.776{53069400-D97C-62DF-0500-000000007002}412428C:\Windows\system32\csrss.exe{53069400-F4D6-62DF-AD03-000000007002}976C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000054049Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:06:14.776{53069400-D97D-62DF-1E00-000000007002}19402768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53069400-F4D6-62DF-AD03-000000007002}976C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000054048Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:06:14.777{53069400-F4D6-62DF-AD03-000000007002}976C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53069400-D97C-62DF-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000054047Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:06:14.245{53069400-F4D6-62DF-AC03-000000007002}30601088C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054046Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:06:14.105{53069400-D97E-62DF-2900-000000007002}27802800C:\Windows\system32\conhost.exe{53069400-F4D6-62DF-AC03-000000007002}3060C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054045Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:06:14.105{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054044Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:06:14.105{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054043Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:06:14.105{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054042Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:06:14.105{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054041Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:06:14.105{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054040Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:06:14.105{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054039Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:06:14.105{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054038Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:06:14.105{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054037Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:06:14.105{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054036Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:06:14.105{53069400-D97C-62DF-0500-000000007002}4121248C:\Windows\system32\csrss.exe{53069400-F4D6-62DF-AC03-000000007002}3060C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000054035Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:06:14.105{53069400-D97D-62DF-1E00-000000007002}19402768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53069400-F4D6-62DF-AC03-000000007002}3060C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000054034Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:06:14.105{53069400-F4D6-62DF-AC03-000000007002}3060C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{53069400-D97C-62DF-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000281145Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:06:15.549{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2CF83A03FBD69AA87F3D4589DA4DE78,SHA256=95FB7932083F770F08E37833EC1A1FC90E2DF80A462E532A7E5E03DD79CCE3D2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000054088Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:06:15.948{53069400-D97E-62DF-2900-000000007002}27802800C:\Windows\system32\conhost.exe{53069400-F4D7-62DF-AF03-000000007002}3644C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054087Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:06:15.948{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054086Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:06:15.948{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054085Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:06:15.948{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054084Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:06:15.948{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054083Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:06:15.948{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054082Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:06:15.948{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054081Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:06:15.948{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054080Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:06:15.948{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054079Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:06:15.948{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054078Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:06:15.948{53069400-D97C-62DF-0500-000000007002}4121248C:\Windows\system32\csrss.exe{53069400-F4D7-62DF-AF03-000000007002}3644C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000054077Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:06:15.948{53069400-D97D-62DF-1E00-000000007002}19402768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53069400-F4D7-62DF-AF03-000000007002}3644C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000054076Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:06:15.949{53069400-F4D7-62DF-AF03-000000007002}3644C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53069400-D97C-62DF-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000054075Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:06:15.448{53069400-F4D7-62DF-AE03-000000007002}19641888C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054074Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:06:15.276{53069400-D97E-62DF-2900-000000007002}27802800C:\Windows\system32\conhost.exe{53069400-F4D7-62DF-AE03-000000007002}1964C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054073Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:06:15.276{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054072Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:06:15.276{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054071Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:06:15.276{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054070Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:06:15.276{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054069Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:06:15.276{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054068Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:06:15.276{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054067Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:06:15.276{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054066Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:06:15.276{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054065Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:06:15.276{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054064Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:06:15.276{53069400-D97C-62DF-0500-000000007002}412428C:\Windows\system32\csrss.exe{53069400-F4D7-62DF-AE03-000000007002}1964C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000054063Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:06:15.276{53069400-D97D-62DF-1E00-000000007002}19402768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53069400-F4D7-62DF-AE03-000000007002}1964C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000054062Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:06:15.277{53069400-F4D7-62DF-AE03-000000007002}1964C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53069400-D97C-62DF-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000281147Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:06:16.596{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C26210B864C55B558E9031E6D36AB057,SHA256=2DE8796B0A9E1D7DF19C90FC15C968B0156E217864C7567B49156EC9F558A0C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054089Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:06:16.089{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F658662C9224028036D1C50D24023D6,SHA256=A13645489D4D74370142923B27B3538EC95452A83578CFF18D6FE6CE7D377518,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000281146Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:06:13.228{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local65021-false10.0.1.12-8000- 23542300x8000000000000000281148Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:06:17.646{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=079242255EA0A06EA2164F67D3565778,SHA256=6176E77B0C1F636C6ADAD7CB3C5CDB287CE6962A79EB338B38440FDE814C8FD9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054091Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:06:17.542{53069400-D97D-62DF-1E00-000000007002}1940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=EB0984B3C59F393E29C85E26D3F02204,SHA256=19E7677DD64A7A463D147C39F1959C463E98289D211C9CEF365AF2F67FD5667F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054090Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:06:17.120{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=754D7512091E3A0C5744F58E7C849BA9,SHA256=E8B8424BEBB0F9A0F96FD12CB8C27B999E59FF7347E8B17838851CB2D7C2A528,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000281149Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:06:18.694{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10ADAE6B9B74ADAD88C446464CC07F22,SHA256=187BB8969FE375927299344F306EA75FD14C32C6E5F250561647E304DF0E2C09,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054092Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:06:18.214{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C83C2A80C7C4A53CB075772CB3632F2,SHA256=B5F4E0468ED03FDDE979C35455F40BC1606CBE0455B866B3094CBA6891003606,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000281150Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:06:19.728{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EEAA47765015437B1A76A573979BF55B,SHA256=3D05A600EB05A4DF976BCFE63F4183EC29276AC43E23C1A57049D61B2B51C17C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000054094Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:06:18.144{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal51079-false10.0.1.12-8000- 23542300x800000000000000054093Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:06:19.308{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1EC499DEDAC21E02413895B96EAB97B,SHA256=0F3BCA73B43A34203E9F2474DB88145E606C5FFF2BF027C4C06305A618C7F2F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000281151Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:06:20.873{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8AD448D6A52D1479904FD4BF4E306146,SHA256=AA9A465A71556694E929B89C500BF7F157E7D6335B719692E89E05F6083EF972,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054095Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:06:20.402{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28F5082ED963AE248B888CF5BEB5E584,SHA256=8B85E3FCCC4F99FD60F308C8542E2A140314B1A3192ADB07B21CFAE8D8E7448C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000281152Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:06:21.990{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2566D9F3E66831AF5C3042ABC32677DD,SHA256=EC37331C5F113156820958704FF30516773E27238BDDF61F6638502040B0A486,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054096Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:06:21.495{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AFBB19B19000ED8E7E26CA7660915D6F,SHA256=A01C5B365F4AFB328D546655A0D664361C13EFBEC2EC39A749F2F11C514C16AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054097Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:06:22.589{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA950AE3FF12C2A0951B4BC16A829C86,SHA256=5668C2030BE0D64C8E37A2B03F76C75F9693DAB5B88C0FBA52662F2C81AAA0C6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000281153Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:06:19.256{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local65022-false10.0.1.12-8000- 23542300x800000000000000054098Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:06:23.683{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29EDE348E0A5C95B943728F9DF263A0E,SHA256=2E319775FB8FE4AD233FA547036F96AF5C1E6B6AC1749A1B3F41F45FEC9089CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000281154Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:06:23.041{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC1614C6083A1EF265EB7AEC6ADBE45D,SHA256=DEB305EB7D7FDBDB5EDB1E633E480E612BE8B65AB066B28B8AF43DE6CFC6CFCA,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000054100Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:06:23.270{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal51080-false10.0.1.12-8000- 23542300x800000000000000054099Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:06:24.776{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7D92E35943D56F3D82716454E7A92A2,SHA256=894370DD548C0ADA5CD59BE99584DC68976FCB1C644C13A53502226FE44B556F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000281155Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:06:24.089{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D302CD24E63E2A1FA18B6051227445B9,SHA256=A54756BD6F6ECB93C0AD7E1843E07BAE92E4C31CCE9FB92C180AC639AB28D1FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054101Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:06:25.870{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D3F04EEADEBF4B5B59404AD4D89EE1B,SHA256=CB3A43DA1942552AE2B48352BDB75B21FE87D7EC27651A72FB7F317033A3DFE7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000281156Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:06:25.208{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC5A7063F0AA328D1EAAD8641337A0E8,SHA256=53C05D1CCF6F53178998F72DC17AC221BD173093E03B47B610F9B4DE43F7C990,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054102Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:06:26.964{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79FCB8788BD9A9D759AE2EB23476D273,SHA256=CCD58898E8BB2B1D1B3BB04B5E459E10FF27F91B929D2EFB74B68BD73DB78FCB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000281157Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:06:26.355{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D6E3E467034889210E1C99E58726B41,SHA256=BA96BD9193CA2FC571C0B87142B3E747226BE3FB38EBB9598B6E120F6ABEA8F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000281158Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:06:27.456{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7FCFE3C1C35C0BAB734ACE6E0AE30EF3,SHA256=B5B05205C8DBD9DE8004CC49A5B2AD858F7B1014AF3F1A63A258504FA7D43AAF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000281160Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:06:28.488{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39AD0C604E35FD74C894481017068F71,SHA256=77046BB45C893614EC3DF53462CFACB951AEFBEFFE69FBF986CEB6CCAA9A71BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054104Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:06:28.751{53069400-D97D-62DF-1C00-000000007002}1896NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0923b0b66bc46ec04\channels\health\respondent-20220726120936-113MD5=F10909D358012860607A88999540BE61,SHA256=618099B8C52552D13629F748BAC7127C20F9D45615160D64360388A771E36D7B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054103Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:06:28.058{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E55CDF1819006C695337E9DB31B7F506,SHA256=5EB7D6709C13AD3FBDD96D158A354C3AA6716CF95DD264AC5E61F71866293404,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000281159Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:06:25.153{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local65023-false10.0.1.12-8000- 23542300x8000000000000000281161Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:06:29.538{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4473670AA984997C1C4B3B5A45E2677,SHA256=090BB85A77A9BBF76280CBD0D781B99C733312A737350E88474160A6479B42D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054106Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:06:29.754{53069400-D97D-62DF-1C00-000000007002}1896NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0923b0b66bc46ec04\channels\health\surveyor-20220726120934-114MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054105Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:06:29.159{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F642270A1607F08B76C06519C5726AD1,SHA256=333CF0BA8AE22CF5701EFD34401C312E30BECBC9947032B3E1BF5D18E962B13D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000281163Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:06:30.985{F81F30E6-D98A-62DF-2E00-000000006F02}2780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=244A1631AD49887FFA233598B50372C7,SHA256=7D44FC1842A91ED6A3F1A5449C91A3982837CBCAEF24AE39ED510FEA01B39ABB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000281162Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:06:30.588{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D500BB450A9F2DA33F51CF0360F88150,SHA256=9D1A781E54E8D35628A3C210721E3C1D6131406D2E6AE4D202280AACC1B6E84D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000054108Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:06:28.319{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal51081-false10.0.1.12-8000- 23542300x800000000000000054107Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:06:30.251{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9CF9382F955648C60F985E601DF7B859,SHA256=62385ED9849218DEA93DD2C24CB8744265AC7BDB118FF537C78349995D37B5BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000281164Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:06:31.635{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D3132FC658E2AE3F30449B46BE29BBA,SHA256=68AE6E16C669EB0FF51C8ADF2D689CF8CB8661132580731E4AB15D7F21220C0A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054109Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:06:31.347{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8849FF0BA28F105FEB3792EAD24CC10,SHA256=FA49BF8202BEE8CA327DDE6058E46A4A8383CD9DAC1DCB950F7D6D6FBA86F524,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000281218Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:06:32.903{F81F30E6-D98B-62DF-3600-000000006F02}31323152C:\Windows\system32\conhost.exe{F81F30E6-F4E8-62DF-6605-000000006F02}10472C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281217Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:06:32.903{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281216Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:06:32.903{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281215Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:06:32.903{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281214Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:06:32.903{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281213Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:06:32.903{F81F30E6-D97A-62DF-0500-000000006F02}41292C:\Windows\system32\csrss.exe{F81F30E6-F4E8-62DF-6605-000000006F02}10472C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000281212Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:06:32.903{F81F30E6-D98A-62DF-2E00-000000006F02}27803956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F81F30E6-F4E8-62DF-6605-000000006F02}10472C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000281211Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:06:32.903{F81F30E6-F4E8-62DF-6605-000000006F02}10472C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F81F30E6-D97A-62DF-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000054110Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:06:32.441{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5E6950142972BD03726EC42087768FF,SHA256=159A76FA236045CEFBFACA9C72115D184FD72E76EA1B449F86B73AFFF47E8871,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000281210Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:06:32.583{F81F30E6-DAB4-62DF-BF00-000000006F02}2464ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\e57grxtg.default-release\datareporting\glean\db\data.safe.binMD5=B49C312FA79D34E1C51AAADFAB6F650B,SHA256=34BA119D2272007609E1B1E77953AA6E5902E3D165668E7DE2EC222A182DBA0E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000281209Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:06:32.450{F81F30E6-F4E8-62DF-6505-000000006F02}77525432C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281208Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:06:32.266{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2C00-000000006F02}2668C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281207Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:06:32.266{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2C00-000000006F02}2668C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281206Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:06:32.266{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BE-62DF-9400-000000006F02}5104C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281205Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:06:32.266{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BE-62DF-9400-000000006F02}5104C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281204Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:06:32.266{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BE-62DF-9400-000000006F02}5104C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281203Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:06:32.266{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BE-62DF-9300-000000006F02}5000C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281202Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:06:32.266{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BE-62DF-9300-000000006F02}5000C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281201Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:06:32.266{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BE-62DF-9300-000000006F02}5000C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281200Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:06:32.266{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BE-62DF-9300-000000006F02}5000C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281199Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:06:32.266{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BE-62DF-9300-000000006F02}5000C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281198Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:06:32.266{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BE-62DF-9300-000000006F02}5000C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281197Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:06:32.266{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BE-62DF-9300-000000006F02}5000C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281196Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:06:32.266{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BE-62DF-9300-000000006F02}5000C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281195Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:06:32.266{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BE-62DF-9300-000000006F02}5000C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281194Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:06:32.266{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BD-62DF-9000-000000006F02}4688C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281193Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:06:32.266{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BD-62DF-9000-000000006F02}4688C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281192Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:06:32.266{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BD-62DF-9000-000000006F02}4688C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281191Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:06:32.266{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BD-62DF-9000-000000006F02}4688C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281190Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:06:32.266{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BD-62DF-9000-000000006F02}4688C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281189Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:06:32.266{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BD-62DF-9000-000000006F02}4688C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281188Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:06:32.266{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BD-62DF-9000-000000006F02}4688C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281187Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:06:32.266{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BD-62DF-9000-000000006F02}4688C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281186Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:06:32.266{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BD-62DF-9000-000000006F02}4688C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281185Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:06:32.266{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BD-62DF-9000-000000006F02}4688C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281184Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:06:32.266{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BD-62DF-9000-000000006F02}4688C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281183Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:06:32.266{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BD-62DF-9000-000000006F02}4688C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281182Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:06:32.266{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BD-62DF-9000-000000006F02}4688C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281181Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:06:32.266{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BD-62DF-9000-000000006F02}4688C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281180Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:06:32.266{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BD-62DF-9000-000000006F02}4688C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281179Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:06:32.266{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BD-62DF-9000-000000006F02}4688C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281178Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:06:32.266{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BD-62DF-9000-000000006F02}4688C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281177Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:06:32.266{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BD-62DF-9000-000000006F02}4688C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281176Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:06:32.266{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BD-62DF-9000-000000006F02}4688C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281175Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:06:32.266{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BD-62DF-9000-000000006F02}4688C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281174Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:06:32.266{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BD-62DF-9000-000000006F02}4688C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281173Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:06:32.266{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BD-62DF-9000-000000006F02}4688C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281172Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:06:32.235{F81F30E6-D98B-62DF-3600-000000006F02}31323152C:\Windows\system32\conhost.exe{F81F30E6-F4E8-62DF-6505-000000006F02}7752C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281171Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:06:32.235{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281170Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:06:32.235{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281169Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:06:32.235{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281168Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:06:32.235{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281167Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:06:32.235{F81F30E6-D97A-62DF-0500-000000006F02}412540C:\Windows\system32\csrss.exe{F81F30E6-F4E8-62DF-6505-000000006F02}7752C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000281166Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:06:32.235{F81F30E6-D98A-62DF-2E00-000000006F02}27803956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F81F30E6-F4E8-62DF-6505-000000006F02}7752C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000281165Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:06:32.235{F81F30E6-F4E8-62DF-6505-000000006F02}7752C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{F81F30E6-D97A-62DF-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000281231Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:06:33.933{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA293F4D7E899AF6DD95B546CDBAE7E0,SHA256=FDE32BB032955B18A4836E7EC99F9DF907AF29A135F94AA4D8FC534049B0C20F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054111Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:06:33.644{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41BFF042889CB415CD6A8A996EE05171,SHA256=539F8B21786DD5FBF6BA82B992F00355A97E17E9BF82FB422A8DEB60CEA69303,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000281230Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:06:33.584{F81F30E6-D98B-62DF-3600-000000006F02}31323152C:\Windows\system32\conhost.exe{F81F30E6-F4E9-62DF-6705-000000006F02}3340C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281229Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:06:33.582{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281228Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:06:33.582{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281227Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:06:33.582{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281226Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:06:33.582{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281225Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:06:33.582{F81F30E6-D97A-62DF-0500-000000006F02}41292C:\Windows\system32\csrss.exe{F81F30E6-F4E9-62DF-6705-000000006F02}3340C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000281224Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:06:33.581{F81F30E6-D98A-62DF-2E00-000000006F02}27803956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F81F30E6-F4E9-62DF-6705-000000006F02}3340C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000281223Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:06:33.581{F81F30E6-F4E9-62DF-6705-000000006F02}3340C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F81F30E6-D97A-62DF-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000281222Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:06:31.133{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local65024-false10.0.1.12-8000- 23542300x8000000000000000281221Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:06:33.349{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E859DB2D2B9132D6A1AE18D728E92DAE,SHA256=A6EAC6D5AC559CA7D7100A52309E595948E87AFDE8EA4A2C9E1B707DD008CD8E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000281220Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:06:33.165{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88AAA4F552F62F9073A8CD344C10EB40,SHA256=F77879DC1CB6F48F7129B88971CA62F519121FF101C289DD3B50EA3996A14115,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000281219Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:06:33.134{F81F30E6-F4E8-62DF-6605-000000006F02}104727504C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000281250Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:06:34.985{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5E785632D9AD02F2E501AB809CFE70B,SHA256=C9C54B30AFB43CC9114144EE2EB0E4AE369288933DF5283A1C2B17076C6F863A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054113Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:06:34.738{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4753E2BB97E1ED7292E55510ED3D9A32,SHA256=FA40B08CE2185D78D293A0A2A74B5277806F11287DF9B6E139411C1E1C206090,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000281249Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:06:34.916{F81F30E6-D98B-62DF-3600-000000006F02}31323152C:\Windows\system32\conhost.exe{F81F30E6-F4EA-62DF-6905-000000006F02}7556C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281248Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:06:34.916{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281247Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:06:34.916{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281246Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:06:34.916{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281245Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:06:34.916{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281244Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:06:34.916{F81F30E6-D97A-62DF-0500-000000006F02}412428C:\Windows\system32\csrss.exe{F81F30E6-F4EA-62DF-6905-000000006F02}7556C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000281243Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:06:34.916{F81F30E6-D98A-62DF-2E00-000000006F02}27803956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F81F30E6-F4EA-62DF-6905-000000006F02}7556C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000281242Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:06:34.917{F81F30E6-F4EA-62DF-6905-000000006F02}7556C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F81F30E6-D97A-62DF-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000281241Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:06:34.832{F81F30E6-D97C-62DF-1000-000000006F02}448NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=2B2E070BF73792B902CEF95566EAFFE3,SHA256=A02A5C75461B13EBD7879A3A0D59517BBEBB03E72FB309E1597A9E48280762BD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000281240Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:06:34.448{F81F30E6-F4EA-62DF-6805-000000006F02}25004428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281239Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:06:34.248{F81F30E6-D98B-62DF-3600-000000006F02}31323152C:\Windows\system32\conhost.exe{F81F30E6-F4EA-62DF-6805-000000006F02}2500C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281238Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:06:34.248{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281237Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:06:34.248{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281236Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:06:34.248{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281235Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:06:34.248{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281234Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:06:34.248{F81F30E6-D97A-62DF-0500-000000006F02}412428C:\Windows\system32\csrss.exe{F81F30E6-F4EA-62DF-6805-000000006F02}2500C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000281233Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:06:34.248{F81F30E6-D98A-62DF-2E00-000000006F02}27803956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F81F30E6-F4EA-62DF-6805-000000006F02}2500C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000281232Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:06:34.249{F81F30E6-F4EA-62DF-6805-000000006F02}2500C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F81F30E6-D97A-62DF-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000054112Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:06:34.082{53069400-D97D-62DF-1100-000000007002}980NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=DA959C8D4259381FFF59CAB9CAB6E12E,SHA256=CD513EE2E1524410433480EA197404FB1A50715583B8E4B2F0A381FB2B740652,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054115Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:06:35.847{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ACEB06578A0C664A1C11F4F7F9D27327,SHA256=5C71888FAC4653AE8418B7C60FFADFEED1DDB0811F2683D57FF7F8ECF153B117,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000281259Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:06:35.601{F81F30E6-D98B-62DF-3600-000000006F02}31323152C:\Windows\system32\conhost.exe{F81F30E6-F4EB-62DF-6A05-000000006F02}10620C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281258Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:06:35.601{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281257Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:06:35.601{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281256Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:06:35.601{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281255Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:06:35.601{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281254Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:06:35.601{F81F30E6-D97A-62DF-0500-000000006F02}412428C:\Windows\system32\csrss.exe{F81F30E6-F4EB-62DF-6A05-000000006F02}10620C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000281253Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:06:35.601{F81F30E6-D98A-62DF-2E00-000000006F02}27803956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F81F30E6-F4EB-62DF-6A05-000000006F02}10620C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000281252Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:06:35.602{F81F30E6-F4EB-62DF-6A05-000000006F02}10620C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F81F30E6-D97A-62DF-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000281251Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:06:35.101{F81F30E6-F4EA-62DF-6905-000000006F02}75564232C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000054114Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:06:34.075{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal51082-false10.0.1.12-8000- 23542300x800000000000000054119Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:06:36.941{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8EE1C466BB0C13C42583CE710D0C823C,SHA256=537F0C4763163350E3AAFCBF1C32626DCDA545737480B68A78DE0A4CFD61E124,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000281268Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:06:36.233{F81F30E6-D98B-62DF-3600-000000006F02}31323152C:\Windows\system32\conhost.exe{F81F30E6-F4EC-62DF-6B05-000000006F02}1248C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281267Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:06:36.233{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281266Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:06:36.233{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281265Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:06:36.233{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281264Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:06:36.233{F81F30E6-D97A-62DF-0500-000000006F02}412540C:\Windows\system32\csrss.exe{F81F30E6-F4EC-62DF-6B05-000000006F02}1248C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000281263Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:06:36.233{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281262Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:06:36.233{F81F30E6-D98A-62DF-2E00-000000006F02}27803956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F81F30E6-F4EC-62DF-6B05-000000006F02}1248C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000281261Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:06:36.234{F81F30E6-F4EC-62DF-6B05-000000006F02}1248C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F81F30E6-D97A-62DF-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000281260Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:06:36.102{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31F4F058466F1259DA26239D5573BF90,SHA256=58773F0B5FC9AB7F58AE63D7F239C644D09CA5DF633E3292DCF1518C5E5647C3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000054118Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:06:36.269{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1300-000000007002}760C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054117Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:06:36.269{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1300-000000007002}760C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054116Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:06:36.269{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1300-000000007002}760C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000281270Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:06:37.617{F81F30E6-DAB4-62DF-BF00-000000006F02}2464ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\e57grxtg.default-release\datareporting\glean\db\data.safe.binMD5=C258A28D253516881395162C7E6E2625,SHA256=F65CB9F41FAD98DE2F860C98D36AD3D5D60362F6D45716D07B339168A59BA225,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000281269Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:06:37.233{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF35856055711EF6AA987BFCB5D9D06C,SHA256=6A1FF65B5A4488B7A2372DF962A9C2A716529049AC27504795738E67E4199704,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000281272Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:06:36.178{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local65025-false10.0.1.12-8000- 23542300x8000000000000000281271Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:06:38.280{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8AD67819312E8E832398DAD4168D7C9,SHA256=B8DB668300EAC1BAFA53C044AAB9B57F11A19C81E69FD861804291D6B0E1A4FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054120Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:06:38.035{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48EC6AB9FA4B6C01ADCC03831243AA13,SHA256=87DF2B9B239A1C75725C1637BE1B2BB53357BECB3DA319E0893D71713CFFA18F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000281273Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:06:39.315{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F04355478BEA09EDCA7CE7CEBE84532,SHA256=4A964F747C08451E8AAF45ABED96BC4B8294CAD6887BF8E6EDC2CA608423B4A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054121Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:06:39.129{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB1BCA5A0C81B53D168E088854A52DDE,SHA256=C6FE78DE912CA887BD4A845FB8136C830FB8E9471E8C2582811A84632BD98D90,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000281274Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:06:40.360{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=004917B1D648182082D54FFECAB511EA,SHA256=5404CD6357C450CAE80DCB308F6C9C3F73B364B5702339093DA66F6C01B1E244,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000054124Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:06:39.075{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal51083-false10.0.1.12-8000- 23542300x800000000000000054123Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:06:40.222{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE112503AC2B3B7C309893EFA7D78885,SHA256=72C3F9332F5F6021BF1CB5C66B278A524B14296CBDC096C4064464097718B303,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000054122Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-SetValue2022-07-26 14:06:40.097{53069400-D97D-62DF-1400-000000007002}708C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d8a0f8-0xed4c8ac6) 23542300x800000000000000054125Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:06:41.316{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B38AA4E21A250849E48E0688885892FD,SHA256=CB81C2D7D99A1186E5D84F508BBB8B8D3157D6B25DFF139FBC7CB4CA2C409988,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000281275Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:06:41.397{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34483ED1F1F5FD3484FE1B0ED81F8D94,SHA256=6C9989BEDD8FE500B4ACAB1221536FED720676D5CEB2B8437D34C00562617CEC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054126Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:06:42.410{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9B4B48A7A32BF8C4D43304E00CC7D20,SHA256=38AA8FFA8A94711881CED9EB49C146646867AED4427BFA5A7CD4525CE91781FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000281276Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:06:42.442{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED3FE1CAA023D784BC803FE7DBD41F14,SHA256=53FA1528E9FF9951C8D84A2983C524AEEBCA1A4C05F5AE2D7774C0B872B841DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054127Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:06:43.504{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8160E452DC50E69F78B402A67A92E1BB,SHA256=C2496E4DF1B60AA417585B44EFDE73BE3CD0CA52F7A6E31B389A607299698AC4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000281279Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:06:41.273{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local65026-false10.0.1.12-8000- 23542300x8000000000000000281278Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:06:43.474{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC05BE7CFF4B01104795CF652077D99A,SHA256=07C3B12A8D94C84EE1EAB2ED54A1529E55DF2D21302F587DAA9C2569EEDEE263,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000281277Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:06:43.098{F81F30E6-D98A-62DF-2900-000000006F02}2592NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f0cc84e036a5373b\channels\health\respondent-20220726120948-113MD5=369DD308E953FB115558C25A87FA7436,SHA256=F8D888C61BEF90997E9DA9024DED7AC04FA2757575784335A529296D09245F18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054128Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:06:44.598{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89D46BAF9CFEAE5CC02C6F75C81B34D0,SHA256=ABFD12419D01515696A071494139F5549D644136FE1C7A4EDDC6C2780077ABFD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000281281Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:06:44.576{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=545E47DFB20E59A9268210230DEC8947,SHA256=59EE075BE45DC7BAED4AF7A1EACD6BBD239B027CB5ED4C6D88080479525ACF91,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000281280Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:06:44.097{F81F30E6-D98A-62DF-2900-000000006F02}2592NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f0cc84e036a5373b\channels\health\surveyor-20220726120946-114MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054130Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:06:45.691{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DAA891ED5E5EB2198EB3D9589ABC061E,SHA256=DDBA1C193894D910F83FE7718DDDBB03E678C7669F0AD52EB31867D6E02FD4BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000281282Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:06:45.610{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=927AB0E11FFB5549900BB19CF8782AF1,SHA256=52481FE2B54F52887BB18DA7F22172D8FC41D8D04879EE3AE161C1A02AADCB9B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000054129Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:06:44.153{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal51084-false10.0.1.12-8000- 23542300x800000000000000054132Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:06:46.785{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CABF95E9BAC8DAA81BFC5E9D51ED8493,SHA256=97EDC525BF31BF17294604AB8E5D062EF51F4162B0A3BFD1AE6F3C7FC312E36F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000281283Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:06:46.640{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1E782A58F7DD8B9B2BB166DF428C656,SHA256=589348BF5C54500474029A9089B0E74280BE1B0673137F7EC0643C546D116F9C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054131Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:06:46.113{53069400-D97D-62DF-1E00-000000007002}1940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=179B82772CA5CC0B7A1E30B10EC3DA68,SHA256=BB39CA45713EEF29F8964A50A9025571F90083A2F6169622A7CAAB4EAC5409CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054135Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:06:47.879{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BAAA20552DD3DFBCB05E5856AB91FFAB,SHA256=640B5ACD667BA85387A228D9D11BBE54C202EAC1065E0D2E0635BB3C780ED39F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000281284Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:06:47.672{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D306AC9A081CB6EB402257193CF5BC3,SHA256=D67522C2D0258F0779E3F003EE2D7955BB11ECA6B4FB1A2F3F05A0ABC1A0C1CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054134Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:06:47.723{53069400-D97D-62DF-1E00-000000007002}1940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=DB43DBB80DC9A65805412163A52CA036,SHA256=645257F3E989A4596353C2646CCCD10ED76840A11A0C458EFFE328088810717C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000054133Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:06:46.169{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal51085-false10.0.1.12-8089- 23542300x800000000000000054136Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:06:48.973{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D0584A26BF39235D1291328149029E1,SHA256=8B8CB80496297639958E24C02E223AF5EE97E8B55579CDF98FBB441D2533CB10,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000281285Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:06:48.771{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F957361B215229B42275FAFB28143E1,SHA256=4E7037DBF9B92D411153EA10B592A4FEA1329F8814D03339112B4C2A542AABD2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000281288Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:06:49.906{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26C9C64DC5C63CB8E50CBB4DD4979761,SHA256=BB73D6D76204D5FD447C53DC2A440981B9F460E81BDA54F7CA901BC4F7F53026,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000281287Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:06:47.088{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local65027-false10.0.1.12-8000- 23542300x8000000000000000281286Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:06:49.075{F81F30E6-D98A-62DF-2E00-000000006F02}2780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=375770933B088FA1013E9C17F7ACFA9C,SHA256=12DC730ED0C3CEF15E2072F184E79ED116E6C7FEA32581084F03B1ADA228E22B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000281293Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:06:50.936{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF4764618AA3477CB9B27F0FA98BD190,SHA256=3015C21AD773E2321AF77E761101C1A4696175D85EA4906434BF3342A51386E2,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000054138Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:06:49.247{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal51086-false10.0.1.12-8000- 23542300x800000000000000054137Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:06:50.066{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9704E70D244AD40E263C2EDF65517142,SHA256=43F379FCC08F87976170E28D97DC2FD4667A2ECE2E8356C8A0096DFD313F19E9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000281292Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:06:48.083{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local65028-false10.0.1.12-8089- 10341000x8000000000000000281291Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:06:50.337{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D97C-62DF-1400-000000006F02}1124C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281290Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:06:50.337{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D97C-62DF-1400-000000006F02}1124C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281289Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:06:50.337{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D97C-62DF-1400-000000006F02}1124C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000281294Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:06:51.969{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1231996E229749DF357ED0EB5AD23E74,SHA256=6C68F4466746649188A8AE6F792209AE3C5CD20873AD37BB62E9ED018C567468,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054139Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:06:51.160{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB7D7F88AE32A129FF81F2F84015587F,SHA256=EB862938DB61D5826CA4DA666F4776F37E43105DCC1BCA71C98341E7663092C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054140Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:06:52.254{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50F12739B5FAFC07327BECA64A13772B,SHA256=3151CBFEEFCCD6A306FA7274BA5DB865147B730AC5054E860FA7363E82875D39,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054141Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:06:53.348{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E18A112B564DE035ACA4BD45D3229AA,SHA256=7A8E9A23DBDBBDFC2B39E4A4DED6BB8DB8A5E64918FD3A6DB4F977C451A2E152,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000281295Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:06:53.004{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4D6F0E8835D513D4BC5E84786B907C3,SHA256=8B637FC2BDC8A19CE2AE5669A8F4F83F35DA4ADD4F22EA47E71E0BED33A7EB1E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054142Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:06:54.441{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CA552B0E0400BA0770D2F16B4EA036F,SHA256=3BA402ADC3D936835C31CD2C4A4FAB1281AF1BEB50B7C93318A6FC7A0DBFB94F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000281296Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:06:54.134{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E8FA13EAE164A8B841A37B9B640AC98,SHA256=0ED1ED685E77622406B0D5CCE85287B9907C507B56DBFCB45C41B36603CB7F85,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054143Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:06:55.535{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD910CE2DEEB147D9186AB09B57BDD23,SHA256=A9F1C4555C5F0E5A315EE4C26EC7866A21D5C505AAB0D3B93342E11F53362F78,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000281298Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:06:55.166{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C9BBE7D3DDF993A448360246284FB6C,SHA256=89B7B169C6BFD7D6CB3CBA0DFC5438EB713886A72B71EB9FF20D828CB080A968,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000281297Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:06:52.234{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local65029-false10.0.1.12-8000- 354300x800000000000000054145Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:06:55.247{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal51087-false10.0.1.12-8000- 23542300x800000000000000054144Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:06:56.629{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E664B4630B7E41E31571B06D598D4F95,SHA256=CCDA849A594285AD7DEEAC7CCAC210EC2636A764F151DBFDCE2338FD76ACC92B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000281300Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:06:56.447{F81F30E6-DAB4-62DF-BF00-000000006F02}2464ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\e57grxtg.default-release\datareporting\aborted-session-pingMD5=FE64608C5362F4DDE05A3DA67B7D293F,SHA256=BFDF162AD958AEC4DC439D27747E79003555FE740B9CD0B89FE99680912475A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000281299Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:06:56.300{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C07F3B4AF2445289A772BCE07619363A,SHA256=7D943263D4E2B31B940D9F55163DFF52C67417CF2A674F15D71209E976743E5D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054146Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:06:57.723{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99808A87786612AC9F40A5E61F8FBB75,SHA256=87F4B506AFD93D7866E0D8048ADE4D0B4A1AEF219DA6111D1CCE52F77F4B6D4D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000281301Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:06:57.415{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41DF9EC8FCC11CF46B9879F8DC11557A,SHA256=3FFF2A43C2F755B34B565E910B46457181E2D2623DFB03880FADE1C7158E6D22,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054147Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:06:58.816{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2DF43B898FE14E74C7AF90708E126787,SHA256=853FC05BA0D5357BC41FE956572256DBED568A600D7D2B4B4A045B29A4B16028,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000281302Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:06:58.530{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=553487710D0394E89AD5BC056D5C3EC1,SHA256=6ACDD201298D7ACBEF80D33E56F47443DD3A735F02BDA3B4D3B6884C7EE0268A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054148Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:06:59.910{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=415A64D5F11CAD035D6D3897D1877E14,SHA256=6F846CF3D73F344DA7B627A6D7871E252C9B53AD94F49C86EF9FC6B29BB62A79,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000281303Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:06:59.546{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF6892A5A9811480F44400221CB9F50F,SHA256=9CD5B936665CD90F978250780B7E0A0989D636AC15A981E86407BEEA48DC4CF1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000281304Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:07:00.598{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3DCBF9B491EBC6020BF9FE2BCBA71C55,SHA256=66ED8BF805060E145B833EDBA81CDDFCD72891392C04A68E30A49422C2FBD6E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000281307Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:07:01.714{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=002D85E841BD2F803D617DD584317060,SHA256=0F5572901861EBA6A8FC3314A8287C576736730CADC42B73250C0D3795CCC06C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054149Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:07:01.004{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5FCC9F6B113EFAE496581C102A030EB2,SHA256=F98EEFC91C54CDD35E054EB8DFD6528A6046C98A33685B9591B86EEE25C17F10,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000281306Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:07:01.244{F81F30E6-D98A-62DF-2E00-000000006F02}2780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=FC05E3A7E94579CB77A07F92571E87DB,SHA256=A75B3FF4782544FC6124C25ED2A0AC928132D01252193A1411B0089BB2E21ED7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000281305Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:06:58.215{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local65030-false10.0.1.12-8000- 23542300x8000000000000000281308Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:07:02.861{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70C308048FCC040466EC735E7B967861,SHA256=00722C810459AB6801704D2C81E1BEF080393C67A36034A2B48F9CA4DB8F4886,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054150Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:07:02.098{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=886D82D740D49F169D161A421A289773,SHA256=39E0708F4501817BAEB55574326701A7B8FC4FB246379A026A12170CA89AFFD5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000281310Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:07:03.980{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=312E5E4A24FD34697329D8FD8388FF58,SHA256=A40A92DA4E129CC53ACC8832201BAF1412A180314D80DFD6BE899C942D234C29,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054152Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:07:03.191{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31F01ECD597DA55CF4C27A13349352F6,SHA256=98C6C7F08B831B05887F7EBCF6A4FEFF56F72EFA14FF82995FDF25544F11673F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000054151Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:07:01.184{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal51088-false10.0.1.12-8000- 23542300x8000000000000000281309Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:07:03.827{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B3E813155CC2AF777A4D242C92F2EC5C,SHA256=13F62951D1E0E81F31B3C4D80CBCB48828DBC0AAE77804EC40D536288E3B1E00,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054153Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:07:04.176{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=923841680AE74FD6AD471FBB27A4D671,SHA256=06F004981051FC47C39147B128138A84014311D733DB584FC96A9639297D48DD,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000281312Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:07:01.760{F81F30E6-D97A-62DF-0B00-000000006F02}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local65031-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local389ldap 354300x8000000000000000281311Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:07:01.760{F81F30E6-D98A-62DF-2600-000000006F02}2568C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local65031-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local389ldap 23542300x800000000000000054154Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:07:05.269{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7772F2CCBB010B8846114D03EE8625F1,SHA256=495D3D723DE91B8E0A195F86DA7F792F06B79E326F3CCA5C98886B1A0DB2853C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000281313Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:07:05.011{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7ABF956BB0F7490B4AD9FECD653EDF57,SHA256=966C2021A551DD3A3BDC4D016B22755156F10CEE380C02BD9ABF8E7BE0FB36CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054155Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:07:06.363{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F219A6617B18280A23262772318399E1,SHA256=FD5A1C4814F5A3CA6250D2AB074F97AC32611DFE874E5237D6F8E3EF54BA07B3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000281315Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:07:03.273{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local65032-false10.0.1.12-8000- 23542300x8000000000000000281314Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:07:06.040{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3A8316EAAB6934E2DDD72B4A1C52CF6,SHA256=7A2AC46EDE33084F5105A951C55FCDFA421434FFBAFB8288C6F992C76C66260C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054156Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:07:07.457{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53EA4F530F4CEC45BA053B7159A63E38,SHA256=8B8219AB77FACD9DA1D91BD5AF3C5BB08FF88EA7BBF051EEE41F25D53BB86187,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000281316Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:07:07.093{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9D472F8E93F9D3F0335C935421CAA20,SHA256=EF4C13ADA0F0FF3874E401A130FF5EC55790BC1DDC788F1FA5EF42EC268AA811,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000054158Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:07:06.262{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal51089-false10.0.1.12-8000- 23542300x800000000000000054157Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:07:08.551{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2871BA269933076E521BF9F6D7193445,SHA256=A05B276A7D525F711744F214A8EBF69A3CA55D14E409EBF372D6F29C5026C8C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000281317Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:07:08.123{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=060BE2A8368FB5B4CF77F8E10A651E5C,SHA256=068C06FDCE60FC1294BB50469418C6238853EE44DAA54F468BE1D6FDB76F5FED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054159Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:07:09.644{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E9511963A7AC3B32B6FB6EDCCDD4192,SHA256=988F5BF8EA72CC624A9D6C12796BBBF050B0A1E040FC131A60A3007CF3B649D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000281318Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:07:09.256{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A23C6F6D97BDB4088A1F428BE74BD8C,SHA256=CCB5E31412FB62E0508CB1F02B6EAFE111B4C2A2E159172C12F50C435D396667,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054160Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:07:10.738{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E2A9B7FC1B7C883C9843E5472640446,SHA256=B5BBA5377C49BFBFC96FBFE5CE5738B71F2DFD662750DED6D83EAF2C22A99D79,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000281319Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:07:10.306{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D4059A9A3C2A3C704A408DECA42D72E,SHA256=BC638A937AB78CE3E91981184DF56E293D8D3AE7D4EE8D68895791ED0269F43C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054161Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:07:11.832{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F5C261A5C5FF6D503EB23C671CC9B81,SHA256=4CD732226066685975458B7FB02A030E754490703DB506AD2276E683AF68BB8A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000281320Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:07:11.453{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0FC4871AF485033347ACCDD62E962600,SHA256=0353E908510A19FF780D33B01A76FE6942066A69C96A666DF36F5B1AE9B45C6D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000281322Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:07:12.554{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=549E1CD5DAC963C8480CD6E4CC29F1AE,SHA256=40DD8DD59B57692593B8F30A5EA23F7F569B1362EDF728C29A18E5830E3CAE42,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000054188Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:07:12.801{53069400-D97E-62DF-2900-000000007002}27802800C:\Windows\system32\conhost.exe{53069400-F510-62DF-B103-000000007002}720C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054187Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:07:12.801{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054186Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:07:12.801{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054185Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:07:12.801{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054184Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:07:12.801{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054183Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:07:12.801{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054182Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:07:12.801{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054181Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:07:12.801{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054180Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:07:12.801{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054179Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:07:12.801{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054178Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:07:12.801{53069400-D97C-62DF-0500-000000007002}412540C:\Windows\system32\csrss.exe{53069400-F510-62DF-B103-000000007002}720C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000054177Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:07:12.801{53069400-D97D-62DF-1E00-000000007002}19402768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53069400-F510-62DF-B103-000000007002}720C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000054176Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:07:12.801{53069400-F510-62DF-B103-000000007002}720C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53069400-D97C-62DF-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000054175Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:07:12.301{53069400-F510-62DF-B003-000000007002}900732C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054174Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:07:12.129{53069400-D97E-62DF-2900-000000007002}27802800C:\Windows\system32\conhost.exe{53069400-F510-62DF-B003-000000007002}900C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054173Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:07:12.129{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054172Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:07:12.129{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054171Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:07:12.129{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054170Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:07:12.129{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054169Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:07:12.129{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054168Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:07:12.129{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054167Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:07:12.129{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054166Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:07:12.129{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054165Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:07:12.129{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054164Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:07:12.129{53069400-D97C-62DF-0500-000000007002}4121248C:\Windows\system32\csrss.exe{53069400-F510-62DF-B003-000000007002}900C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000054163Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:07:12.129{53069400-D97D-62DF-1E00-000000007002}19402768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53069400-F510-62DF-B003-000000007002}900C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000054162Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:07:12.130{53069400-F510-62DF-B003-000000007002}900C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53069400-D97C-62DF-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000281321Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:07:09.205{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local65033-false10.0.1.12-8000- 23542300x8000000000000000281323Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:07:13.655{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8C32938933BF9C3FB26669F1404C24F,SHA256=848B6B59C56FCA5715F613B0667E7A89E05507213422D993C39616D45AFF0BAA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000054218Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:07:13.988{53069400-D97E-62DF-2900-000000007002}27802800C:\Windows\system32\conhost.exe{53069400-F511-62DF-B303-000000007002}300C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054217Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:07:13.988{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054216Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:07:13.988{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054215Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:07:13.988{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054214Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:07:13.988{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054213Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:07:13.988{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054212Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:07:13.988{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054211Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:07:13.988{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054210Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:07:13.988{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054209Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:07:13.988{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054208Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:07:13.988{53069400-D97C-62DF-0500-000000007002}4121248C:\Windows\system32\csrss.exe{53069400-F511-62DF-B303-000000007002}300C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000054207Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:07:13.988{53069400-D97D-62DF-1E00-000000007002}19402768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53069400-F511-62DF-B303-000000007002}300C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000054206Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:07:13.989{53069400-F511-62DF-B303-000000007002}300C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53069400-D97C-62DF-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000054205Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:07:12.293{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal51090-false10.0.1.12-8000- 10341000x800000000000000054204Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:07:13.473{53069400-D97E-62DF-2900-000000007002}27802800C:\Windows\system32\conhost.exe{53069400-F511-62DF-B203-000000007002}3696C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054203Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:07:13.473{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054202Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:07:13.473{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054201Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:07:13.473{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054200Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:07:13.473{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054199Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:07:13.473{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054198Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:07:13.473{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054197Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:07:13.473{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054196Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:07:13.473{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054195Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:07:13.473{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054194Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:07:13.473{53069400-D97C-62DF-0500-000000007002}4121248C:\Windows\system32\csrss.exe{53069400-F511-62DF-B203-000000007002}3696C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000054193Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:07:13.473{53069400-D97D-62DF-1E00-000000007002}19402768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53069400-F511-62DF-B203-000000007002}3696C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000054192Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:07:13.473{53069400-F511-62DF-B203-000000007002}3696C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53069400-D97C-62DF-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000054191Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:07:13.269{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F621C1120689C7D435FF358EA8FC981B,SHA256=D1FDDB9A2106331D16402F7C4DF2BB3F5B71F0B82DD44E94770AFE8BC38B7053,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054190Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:07:13.269{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4702A331C6DA0786ABAEA025F9864DFE,SHA256=D4427B7EB561278783091CE82EA95EA9EFE11F71579E5CB76801406A0622A204,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000054189Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:07:13.004{53069400-F510-62DF-B103-000000007002}720940C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000281324Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:07:14.756{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3FEA6CFE55B1E886A09561956836727,SHA256=F2E481F9F5D58DFEEAFE0175FA5463E98538865DA4877C375283B0A21177F6C2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000054233Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:07:14.676{53069400-F512-62DF-B403-000000007002}10483640C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000054232Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:07:14.488{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA7D66561E363A8534AB97CB4E035220,SHA256=734FFA7E3801E7E70B9AF414552FF777C8A4B6933D480566462438C6A7770432,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000054231Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:07:14.488{53069400-D97E-62DF-2900-000000007002}27802800C:\Windows\system32\conhost.exe{53069400-F512-62DF-B403-000000007002}1048C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054230Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:07:14.488{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054229Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:07:14.488{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054228Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:07:14.488{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054227Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:07:14.488{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054226Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:07:14.488{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054225Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:07:14.488{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054224Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:07:14.488{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054223Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:07:14.488{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054222Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:07:14.488{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054221Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:07:14.488{53069400-D97C-62DF-0500-000000007002}412540C:\Windows\system32\csrss.exe{53069400-F512-62DF-B403-000000007002}1048C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000054220Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:07:14.488{53069400-D97D-62DF-1E00-000000007002}19402768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53069400-F512-62DF-B403-000000007002}1048C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000054219Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:07:14.489{53069400-F512-62DF-B403-000000007002}1048C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53069400-D97C-62DF-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000054261Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:07:15.724{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E53BEBE89C53ABC7C81760993219CF14,SHA256=DC0B88C0997055241D44D91FDB692F400EC430865225936662C7D3219FFA081F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000054260Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:07:15.660{53069400-D97E-62DF-2900-000000007002}27802800C:\Windows\system32\conhost.exe{53069400-F513-62DF-B603-000000007002}492C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054259Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:07:15.660{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054258Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:07:15.660{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054257Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:07:15.660{53069400-D97C-62DF-0500-000000007002}4121248C:\Windows\system32\csrss.exe{53069400-F513-62DF-B603-000000007002}492C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000054256Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:07:15.660{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054255Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:07:15.660{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054254Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:07:15.660{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054253Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:07:15.660{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054252Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:07:15.660{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054251Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:07:15.660{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054250Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:07:15.660{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054249Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:07:15.660{53069400-D97D-62DF-1E00-000000007002}19402768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53069400-F513-62DF-B603-000000007002}492C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000054248Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:07:15.661{53069400-F513-62DF-B603-000000007002}492C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53069400-D97C-62DF-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000281325Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:07:15.805{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45232542544D2E043AF6B8D7D3E36707,SHA256=377D0324C0B9C5BFD353476AECF2283C63C7377C571AFC7BD14632A9751E2A50,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000054247Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:07:15.394{53069400-F513-62DF-B503-000000007002}37723004C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054246Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:07:15.160{53069400-D97E-62DF-2900-000000007002}27802800C:\Windows\system32\conhost.exe{53069400-F513-62DF-B503-000000007002}3772C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054245Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:07:15.160{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054244Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:07:15.160{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054243Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:07:15.160{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054242Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:07:15.160{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054241Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:07:15.160{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054240Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:07:15.160{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054239Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:07:15.160{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054238Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:07:15.160{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054237Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:07:15.160{53069400-D97C-62DF-0500-000000007002}412428C:\Windows\system32\csrss.exe{53069400-F513-62DF-B503-000000007002}3772C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000054236Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:07:15.160{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054235Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:07:15.160{53069400-D97D-62DF-1E00-000000007002}19402768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53069400-F513-62DF-B503-000000007002}3772C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000054234Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:07:15.161{53069400-F513-62DF-B503-000000007002}3772C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{53069400-D97C-62DF-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000054263Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:07:16.973{53069400-D97D-62DF-1E00-000000007002}1940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=A931CD3320E8A8684FA30F114202AA74,SHA256=E041B73E9985E65AE55ED384042ABA67ED76193F73722DD853C4648C9ECADE9E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054262Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:07:16.707{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93A53F81E33976AB50A6BB3E6A6BCE42,SHA256=516B0169EA134C6E2E4EDBDA55155E9CA41F41A7E263D8AD3B1404F933D458B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000281326Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:07:16.852{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84CA7FDE902E1890878AF0E7E7163975,SHA256=9C9B1EE1F7E90B207272E7F0CFEB9655949B504E58CB3A4E2A0C560C4D5FA509,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054264Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:07:17.801{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A31428F139D30DFCA8E516EB38D428E3,SHA256=C6D95DBCCABC35A76BFD6200EDD0A702387CC95BC4CB68AAF794A223223481BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000281328Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:07:17.887{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9984F877FF18D5CE22F77B55A6D963B3,SHA256=CBA70DC2487D86EE915B9FFA4BB7A2C65D2E35C356B8725D1FB360FCA8662C7F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000281327Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:07:15.089{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local65034-false10.0.1.12-8000- 23542300x800000000000000054265Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:07:18.895{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB083ABD9C9623EA7807C1AEC986DDBB,SHA256=12825B1BB068F9F87D5381851D974C36103BCD480547F9D5B585F6F5D23D0F64,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054267Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:07:19.988{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B85EF3F79F4FA5779FC29E19FE85D7FD,SHA256=C26CF70FA04B8CA33A8969E90F099C974BEF2528D470668B7526E926583BF53C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000054266Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:07:18.200{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal51091-false10.0.1.12-8000- 23542300x8000000000000000281329Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:07:19.001{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0CB745A0B15F2D7513EE125735867B7F,SHA256=C382B800E44A0355F3E4364AC051C2C857F65318A8F53B88CFCA62944A6DEC35,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000281330Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:07:20.148{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8E601875361DA0037DA9029B237AAC9,SHA256=7675A52CA09146AA990D01DED7A1A42C57B39DF92EDB6E2B76088BD673EC2DCD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054268Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:07:21.082{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96C6A77538AB0E58C41BDC63BFD62B0D,SHA256=62746C615547B8B17E7F53D4C60C4C506031157DAB6CA750683FF3E315AC1876,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000281331Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:07:21.171{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57A5586C48555CE942423966C96D3589,SHA256=C78B5862FDADF9ED6FD321B46E7CD1D9963E5747CFA1366D7480E5DB6624A476,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000281332Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:07:22.217{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C76B6D3B654CC202D70F5103AD5AD74,SHA256=1872B5814459D1757416FB7BCD50CE6C3594CC1140EC20F0612F90737A47602B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054269Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:07:22.176{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A0DABA03153C67006A57239AA089135,SHA256=7129561AEF626C33ACE50E7468BF858BC5A3A89C7520A7AB2EB6C20A16036051,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054270Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:07:23.269{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60A9CBE46C000226F32783D923A3417B,SHA256=CF8EDF3951DA05730CF7F3C6BEA62CCA42C0DD0FDF62E62A77684786B027EA94,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000281334Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:07:20.234{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local65035-false10.0.1.12-8000- 23542300x8000000000000000281333Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:07:23.249{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F09DDBE6834D79939454EC792B42D73,SHA256=1D97B099ECBE1034900E9C7155AF71B162D9C62962C02DAB5637BC29F4D42CAA,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000054272Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:07:23.262{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal51092-false10.0.1.12-8000- 23542300x800000000000000054271Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:07:24.363{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D27D32F7D5F0390E0480A0969A5D076,SHA256=3F7E58EDCE030C5D4A03A751A2B6D729D96E9A36EF0D016AA9C6EA0CA1816E7B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000281335Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:07:24.300{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA321D1A26154C25BA313CF3E3CBAAF3,SHA256=75A47639B636AB7816B13176552917AADF8E7692B3751CD658BD35739E634393,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054273Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:07:25.457{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=980796A577F13438F56A1D01E8C62EF0,SHA256=0F81DCBA1C44832AB15158A457F49F75923211AEB94D9CBB1B35782F93DC019D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000281336Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:07:25.347{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68DF612449054209AA6CF4AFE059C605,SHA256=B57956B94B25CA23FB73C179932161EF13F249D49C87A240CEBF57432F375F52,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054274Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:07:26.551{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=458A4E8F252C22554DC2AE9C149BBCDC,SHA256=2EE3CE2EAB9AFF1FFC685157FC757860A736299E26AF888E04C12279C1CE30E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000281337Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:07:26.483{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1BA01B93E9B9A4935830AC6F660E79FA,SHA256=46CFD79848FF8181C08C189D8116C37121C904ED490CEC27B0E17F931D8FB42A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054275Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:07:27.644{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=886655F2A204B45F7F80F3A15B1B6900,SHA256=A3D7AD87C39966BF3A7F699E9F8558DDF35781CCCE3130F9FBFADD5663E0378F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000281338Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:07:27.528{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5A143FEFFC4313C33788E4264721893,SHA256=EDC88E0623D9BA2E1D3D2907D8031837ECEFB90275778CE1C5D8F57A22E10246,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054276Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:07:28.738{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1DF34EE13494D5773BD8954EFC4FF8E7,SHA256=CCB6EC377BDC2EC38F08E7FAC9521601060F77C9963DCC62E274185D29871F95,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000281339Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:07:28.580{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83DADF06E95446FEC243908B611AFAB9,SHA256=255B72004DE3473386D3F706127B4C5B03AFFCD6C7A5749F78F920753DD01724,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054277Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:07:29.833{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FAEC4A0C2F01D4A25E161F0692AC49D0,SHA256=16C6DA1DEDB806800B778BABFD8AAD20FBE5ADF2656DE791E6D58EEC1234999A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000281341Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:07:26.260{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local65036-false10.0.1.12-8000- 23542300x8000000000000000281340Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:07:29.711{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=605371A08C85BA7E1FBAF64C52236AA3,SHA256=ECD662240133C3EB858F10F5EBAD32B677B871A5D26128FBBE5C139AFB65432E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054279Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:07:30.926{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1608A804452053F6BF87BD4E04B7F92B,SHA256=C6F6FACBDD7A8D2A3AF9895614312843F3DA61FBCD6FB4C538366224189164A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000281342Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:07:30.744{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F604E179CD44004A527174E2885B09A1,SHA256=FA1631C191DA50DF13E90CE5BC43CEF54F30A0CE2ABED8CB260F56E946C0C453,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054278Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:07:30.273{53069400-D97D-62DF-1C00-000000007002}1896NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0923b0b66bc46ec04\channels\health\respondent-20220726120936-114MD5=F10909D358012860607A88999540BE61,SHA256=618099B8C52552D13629F748BAC7127C20F9D45615160D64360388A771E36D7B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000281344Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:07:31.878{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77CEE6ABCFDD475709253EE37EB25AE8,SHA256=E21DCC2014675E4057290820D663862453849C7121DEE651877C3A756E022317,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054280Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:07:31.285{53069400-D97D-62DF-1C00-000000007002}1896NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0923b0b66bc46ec04\channels\health\surveyor-20220726120934-115MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000281343Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:07:31.543{F81F30E6-D98A-62DF-2E00-000000006F02}2780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=032CB41A62A46A0148B9839B339E65F1,SHA256=EF271AD7448BF0D76725E85676211FA71A5EA81E92679CFE3B145B69988CB0CF,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000054282Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:07:29.122{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal51093-false10.0.1.12-8000- 23542300x800000000000000054281Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:07:32.019{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB1CE8E55F396C2879085CCD2B2E1A2F,SHA256=E2652FC850DC93BAB54DB5D7EBCA5732005FD5B53A3A7DC81854B94B50C114F0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000281361Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:07:32.678{F81F30E6-D98B-62DF-3600-000000006F02}31323152C:\Windows\system32\conhost.exe{F81F30E6-F524-62DF-6D05-000000006F02}10988C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281360Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:07:32.678{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281359Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:07:32.678{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281358Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:07:32.678{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281357Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:07:32.678{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281356Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:07:32.678{F81F30E6-D97A-62DF-0500-000000006F02}412540C:\Windows\system32\csrss.exe{F81F30E6-F524-62DF-6D05-000000006F02}10988C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000281355Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:07:32.678{F81F30E6-D98A-62DF-2E00-000000006F02}27803956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F81F30E6-F524-62DF-6D05-000000006F02}10988C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000281354Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:07:32.679{F81F30E6-F524-62DF-6D05-000000006F02}10988C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F81F30E6-D97A-62DF-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000281353Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:07:32.393{F81F30E6-F524-62DF-6C05-000000006F02}1047610468C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281352Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:07:32.193{F81F30E6-D98B-62DF-3600-000000006F02}31323152C:\Windows\system32\conhost.exe{F81F30E6-F524-62DF-6C05-000000006F02}10476C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281351Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:07:32.193{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281350Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:07:32.193{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281349Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:07:32.193{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281348Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:07:32.193{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281347Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:07:32.193{F81F30E6-D97A-62DF-0500-000000006F02}412540C:\Windows\system32\csrss.exe{F81F30E6-F524-62DF-6C05-000000006F02}10476C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000281346Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:07:32.193{F81F30E6-D98A-62DF-2E00-000000006F02}27803956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F81F30E6-F524-62DF-6C05-000000006F02}10476C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000281345Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:07:32.194{F81F30E6-F524-62DF-6C05-000000006F02}10476C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{F81F30E6-D97A-62DF-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000054283Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:07:33.113{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6AEFFEDF4B77C5AC4ABA90B65BD5282A,SHA256=5B9A5287B9840752BF5375A784B518450F9C9F559F3130D3021F3FE400F3065B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000281380Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:07:33.992{F81F30E6-D98B-62DF-3600-000000006F02}31323152C:\Windows\system32\conhost.exe{F81F30E6-F525-62DF-6F05-000000006F02}10884C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281379Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:07:33.992{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281378Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:07:33.992{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281377Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:07:33.992{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281376Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:07:33.992{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281375Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:07:33.992{F81F30E6-D97A-62DF-0500-000000006F02}41292C:\Windows\system32\csrss.exe{F81F30E6-F525-62DF-6F05-000000006F02}10884C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000281374Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:07:33.992{F81F30E6-D98A-62DF-2E00-000000006F02}27803956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F81F30E6-F525-62DF-6F05-000000006F02}10884C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000281373Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:07:33.993{F81F30E6-F525-62DF-6F05-000000006F02}10884C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F81F30E6-D97A-62DF-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000281372Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:07:33.677{F81F30E6-D97C-62DF-0D00-000000006F02}9123628C:\Windows\system32\svchost.exe{F81F30E6-F3BC-62DF-7004-000000006F02}6880C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281371Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:07:33.324{F81F30E6-D98B-62DF-3600-000000006F02}31323152C:\Windows\system32\conhost.exe{F81F30E6-F525-62DF-6E05-000000006F02}9944C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281370Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:07:33.324{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281369Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:07:33.324{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281368Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:07:33.324{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281367Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:07:33.324{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281366Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:07:33.324{F81F30E6-D97A-62DF-0500-000000006F02}412428C:\Windows\system32\csrss.exe{F81F30E6-F525-62DF-6E05-000000006F02}9944C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000281365Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:07:33.324{F81F30E6-D98A-62DF-2E00-000000006F02}27803956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F81F30E6-F525-62DF-6E05-000000006F02}9944C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000281364Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:07:33.326{F81F30E6-F525-62DF-6E05-000000006F02}9944C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F81F30E6-D97A-62DF-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000281363Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:07:33.293{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F80EC14875F31E4911A70C12D604F1C6,SHA256=DF5A1C561DC4D065EBAE437B25F48096CBC4B3DCD6AD09701AAFD24F254B0593,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000281362Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:07:33.009{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51789257CDB0B779FFFB6B256AAC9D11,SHA256=DE4FCD1F9507030172EB6E0A0766220D9A5C754AFE1D8FEB9B2FE0793DF449E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054285Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:07:34.207{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F4013186620B839B8A55F5E37506564,SHA256=5E6E08EFA796DCB8587D152229D439471E46161D1B99825F526D4484EDA25FDD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000281393Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:07:34.875{F81F30E6-F526-62DF-7005-000000006F02}1107210664C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000281392Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:07:34.838{F81F30E6-D97C-62DF-1000-000000006F02}448NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=53F68CCB8504F64BB7FD8CAA4E691E86,SHA256=EA6E23DAAC8B048C6BE9431DBD116EDF518F2DA1057C52E422FB5D37C3837FF4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000281391Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:07:34.660{F81F30E6-D98B-62DF-3600-000000006F02}31323152C:\Windows\system32\conhost.exe{F81F30E6-F526-62DF-7005-000000006F02}11072C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281390Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:07:34.660{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281389Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:07:34.660{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281388Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:07:34.660{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281387Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:07:34.660{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281386Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:07:34.660{F81F30E6-D97A-62DF-0500-000000006F02}412540C:\Windows\system32\csrss.exe{F81F30E6-F526-62DF-7005-000000006F02}11072C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000281385Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:07:34.660{F81F30E6-D98A-62DF-2E00-000000006F02}27803956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F81F30E6-F526-62DF-7005-000000006F02}11072C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000281384Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:07:34.661{F81F30E6-F526-62DF-7005-000000006F02}11072C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F81F30E6-D97A-62DF-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000281383Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:07:32.040{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local65037-false10.0.1.12-8000- 10341000x8000000000000000281382Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:07:34.223{F81F30E6-F525-62DF-6F05-000000006F02}1088411116C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000281381Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:07:34.060{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F20BC2E77234224388FDD6E1FEA490B,SHA256=15036F75A0142CB550CEA1CAD825E8FEB633E7B50211688C366386A741EF5982,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054284Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:07:34.097{53069400-D97D-62DF-1100-000000007002}980NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=E58EBAE970B2C439981C6112DF5EA56F,SHA256=639666743109E22B776717DF3E2CC7B434B83766D583C826CFF008FA4D6EA057,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054286Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:07:35.300{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B869522DDD9D82461D0A63E75F86F512,SHA256=61D5AD7D962419A69C513A874DD60B4C468BD7A4254D082C0CE5B4D165C52EDE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000281411Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:07:35.992{F81F30E6-D98B-62DF-3600-000000006F02}31323152C:\Windows\system32\conhost.exe{F81F30E6-F527-62DF-7205-000000006F02}11096C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281410Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:07:35.992{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281409Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:07:35.992{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281408Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:07:35.992{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281407Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:07:35.992{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281406Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:07:35.992{F81F30E6-D97A-62DF-0500-000000006F02}412540C:\Windows\system32\csrss.exe{F81F30E6-F527-62DF-7205-000000006F02}11096C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000281405Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:07:35.992{F81F30E6-D98A-62DF-2E00-000000006F02}27803956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F81F30E6-F527-62DF-7205-000000006F02}11096C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000281404Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:07:35.993{F81F30E6-F527-62DF-7205-000000006F02}11096C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F81F30E6-D97A-62DF-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000281403Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:07:35.506{F81F30E6-F527-62DF-7105-000000006F02}1070810692C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281402Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:07:35.322{F81F30E6-D98B-62DF-3600-000000006F02}31323152C:\Windows\system32\conhost.exe{F81F30E6-F527-62DF-7105-000000006F02}10708C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281401Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:07:35.322{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281400Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:07:35.322{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281399Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:07:35.322{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281398Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:07:35.322{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281397Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:07:35.322{F81F30E6-D97A-62DF-0500-000000006F02}412540C:\Windows\system32\csrss.exe{F81F30E6-F527-62DF-7105-000000006F02}10708C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000281396Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:07:35.322{F81F30E6-D98A-62DF-2E00-000000006F02}27803956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F81F30E6-F527-62DF-7105-000000006F02}10708C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000281395Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:07:35.322{F81F30E6-F527-62DF-7105-000000006F02}10708C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F81F30E6-D97A-62DF-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000281394Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:07:35.106{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1EA486805ADCAB3BA665A5E5654A2D90,SHA256=6912AA1E73F68988BE3B777DCC600FB31AD4D9C872BC5E7037FED7AB62FF6342,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054288Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:07:36.394{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4285BDB947BD1F99D532FA7E453F7D6,SHA256=E946DB18141339FFDA67C6FD4FD5EAF07E3919558B7535E1EE78821EF05FDBDF,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000054287Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:07:35.137{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal51094-false10.0.1.12-8000- 23542300x8000000000000000281412Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:07:36.223{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6783B71D1DD2712BE92BABF1C2F0314E,SHA256=C52212F8D0BA341B9A3961D326098271E194C66C5BC44345328C24D32A78E0E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054289Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:07:37.488{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2293600D0E2E851688D03453D191322,SHA256=0C2A1ECCB981B782DF26F1AE7120F777813C7D38A70E95A8739096E0C8EFF5F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000281413Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:07:37.360{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BF174731C4C4FEAAFDEE8CAC174F88B,SHA256=1A95EF22ACAE6DFED35F67F3EBF5157309E431B2AF6F54AF9CB73CBA0F3A251C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054290Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:07:38.582{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=934E42C9B2DC4768EC99F351A13E359A,SHA256=F8DDADB1F6F55ED5A7C7D1C43FFF213F9A2FAEE8F677490B089AADB7B281C9C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000281414Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:07:38.505{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F83A12043836198A2D7F4FD341C00EB5,SHA256=428E8CAB4886885E37E0A42D22300AC4D06202153C71B487B92B06DF14CA9800,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054291Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:07:39.675{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89C6A0B651365F6D2559C84BF892981D,SHA256=1198CE578AA1E330905CA95EACF9A1E8412CBF4435D7BD04C2E6FC156F6A850E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000281416Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:07:37.206{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local65038-false10.0.1.12-8000- 23542300x8000000000000000281415Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:07:39.537{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F68AAD55399E0A8F180616467B15936,SHA256=DCB24C58E19C5FD269AAA99B8C77478D623D58FCF52CCE1093BCE58E88BBD57E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054292Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:07:40.769{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=580449B43890B7A5A39E4D6FB5D14192,SHA256=D3351B61B14C33E1C397467CF010BB12888555A99F8A8050ED256E5373BC8776,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000281425Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:07:40.574{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0445917005FA5A3C7D2BEF69C5354C01,SHA256=5886007E6BEEEB0D99B650FC4B52D0B56208517B5263307CE95A1C3B6250FF78,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000281424Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:07:40.574{F81F30E6-D97C-62DF-0D00-000000006F02}9123628C:\Windows\system32\svchost.exe{F81F30E6-F3C4-62DF-8E04-000000006F02}1860C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281423Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:07:40.574{F81F30E6-D97C-62DF-0D00-000000006F02}9123628C:\Windows\system32\svchost.exe{F81F30E6-F3C4-62DF-8D04-000000006F02}4636C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281422Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:07:40.574{F81F30E6-D97C-62DF-0D00-000000006F02}9123628C:\Windows\system32\svchost.exe{F81F30E6-F3C4-62DF-8C04-000000006F02}4352C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281421Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:07:40.574{F81F30E6-D97C-62DF-0D00-000000006F02}9123628C:\Windows\system32\svchost.exe{F81F30E6-F3C4-62DF-8B04-000000006F02}7088C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281420Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:07:40.574{F81F30E6-D97C-62DF-0D00-000000006F02}9123628C:\Windows\system32\svchost.exe{F81F30E6-F3C3-62DF-8804-000000006F02}3460C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281419Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:07:40.574{F81F30E6-D97C-62DF-0D00-000000006F02}9123628C:\Windows\system32\svchost.exe{F81F30E6-F3C3-62DF-8504-000000006F02}8160C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281418Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:07:40.574{F81F30E6-D97C-62DF-0D00-000000006F02}9123628C:\Windows\system32\svchost.exe{F81F30E6-F3C3-62DF-8004-000000006F02}3756C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281417Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:07:40.574{F81F30E6-D97C-62DF-0D00-000000006F02}9123628C:\Windows\system32\svchost.exe{F81F30E6-F3C3-62DF-7D04-000000006F02}7108C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000054293Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:07:41.863{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41846792C1BC8242FF1ACD3F16F483BC,SHA256=046D7FB052E185BAB931B13901E3EC0452F96599E9EFD981D4EC794876D6FFCA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000281426Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:07:41.691{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1623E1F47841526354C76AB35EACEB0A,SHA256=3C642F6671D663D86FD10D5327AB1A56E75BEC4822DB8B532AD6AA9A11B46A9D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054295Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:07:42.957{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0BEB7CD9B1D73F1E3D483DF6A747087,SHA256=6B8B15A5341B510C0FA7BBED86C9C568EE65B90A7D6F2FA99652A58042C3378F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000281427Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:07:42.738{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=423E1F3CDBD5FC34EE111E20CE4397C1,SHA256=19EB2005689BF9C5B8526993F420607E568F08FE529A9A3F15B7FD04A00B2CF6,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000054294Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:07:41.106{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal51095-false10.0.1.12-8000- 23542300x8000000000000000281428Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:07:43.761{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8481FE75E36F01B898108F1DDAFD49DB,SHA256=AB8C01D99D14F88702886223B51ED6B9FEAD934B92E2B8DA6C21250C4C526DB0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000281430Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:07:44.884{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5321DC870AE375FD9BF22A8B32AF89A,SHA256=44B2BCFEC732DB5E21C030A755A934159338334753DEE6D601A17CFDDC1E951D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054296Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:07:44.050{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C480273677D917F7AC78F30D80EF9314,SHA256=5B22310847153AEE50AE9F8D91F4EE5E28049C0E4497E74194B0745DC09D9325,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000281429Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:07:44.617{F81F30E6-D98A-62DF-2900-000000006F02}2592NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f0cc84e036a5373b\channels\health\respondent-20220726120948-114MD5=369DD308E953FB115558C25A87FA7436,SHA256=F8D888C61BEF90997E9DA9024DED7AC04FA2757575784335A529296D09245F18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000281434Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:07:45.930{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96E4923C0565056285AD51C08F9680D7,SHA256=F2327E5C1BD48EE80B2D314C9011145B2BABC057A10B6D71C4E0B69B54958C38,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054297Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:07:45.144{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9200955C0B29C7D086F28084CC5B6DA,SHA256=842547F0CBC477B264BAC1C92CF21D3A7830DAA1EDFDAA3BD8AEED7D1BDA9597,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000281433Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:07:43.185{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local65039-false10.0.1.12-8000- 23542300x8000000000000000281432Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:07:45.631{F81F30E6-D98A-62DF-2900-000000006F02}2592NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f0cc84e036a5373b\channels\health\surveyor-20220726120946-115MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000281431Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:07:45.599{F81F30E6-D97C-62DF-0D00-000000006F02}9123628C:\Windows\system32\svchost.exe{F81F30E6-F3C8-62DF-9104-000000006F02}7728C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000054299Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:07:46.238{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15BD452E7AE7ACD8245FC9043F7B8D3B,SHA256=04A07AEB2FD271CEC68D5F198C318412031908F2852B87B2E49F6E66DEFAD66F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054298Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:07:46.144{53069400-D97D-62DF-1E00-000000007002}1940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=179B82772CA5CC0B7A1E30B10EC3DA68,SHA256=BB39CA45713EEF29F8964A50A9025571F90083A2F6169622A7CAAB4EAC5409CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054301Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:07:47.222{53069400-D97D-62DF-1E00-000000007002}1940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=0CF1AB4C45CDF3EFDBC850A02137B57B,SHA256=71C48D24B302C311774C3A5256A1F648DEEC475DF8DE26F6D912C927E71554BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054300Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:07:47.222{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA1B3A5B11C7552AF492573385DDA17C,SHA256=B5E40200397FC52705142998C288B5E63DBE78A1DC464EFB2ED54E0DFA405834,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000281435Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:07:47.046{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36ECAD9DB1F1D3979796793D9776A5F9,SHA256=9E5BFF4ABD3AF8278ECA0233079A8CC0E48EA258FE72B025C4137D79D6DAB63C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054303Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:07:48.316{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C538B57D35DE1B579B3739F04A969D4,SHA256=9F2E80D3EE5F19B5AC87BB373AC232EC12A82D89523919693FD7223C6D3DB5E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000281436Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:07:48.168{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D28C21659D15B9117B7E501AD0434B3,SHA256=719CADF74AB160DEF5B05C3D542CF8A2F828EBFCB355A08566FCEE2A5896AFF4,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000054302Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:07:46.200{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal51096-false10.0.1.12-8089- 23542300x800000000000000054305Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:07:49.410{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A09EBE06BC3A52A8014AB2D8E48B2067,SHA256=5740A2CB6A514E2AA1C82B778ACBB87C5018A6CDC552A30C8E438827D75234CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000281445Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:07:49.198{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7AAC6E87EDAAB49521185DCD2981A24,SHA256=DC94779A875E5961405744B0DB1F3332C51A20CB9115F42E82B841F2C36862AA,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000054304Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:07:47.137{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal51097-false10.0.1.12-8000- 23542300x8000000000000000281444Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:07:49.098{F81F30E6-D98A-62DF-2E00-000000006F02}2780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=375770933B088FA1013E9C17F7ACFA9C,SHA256=12DC730ED0C3CEF15E2072F184E79ED116E6C7FEA32581084F03B1ADA228E22B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000281443Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:07:49.030{F81F30E6-D97C-62DF-0D00-000000006F02}9123628C:\Windows\system32\svchost.exe{F81F30E6-F3CC-62DF-B004-000000006F02}4668C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281442Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:07:49.030{F81F30E6-D97C-62DF-0D00-000000006F02}9123628C:\Windows\system32\svchost.exe{F81F30E6-F3CC-62DF-AD04-000000006F02}3400C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281441Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:07:49.030{F81F30E6-D97C-62DF-0D00-000000006F02}9123628C:\Windows\system32\svchost.exe{F81F30E6-F3CC-62DF-A804-000000006F02}6924C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281440Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:07:49.030{F81F30E6-D97C-62DF-0D00-000000006F02}9123628C:\Windows\system32\svchost.exe{F81F30E6-F3CC-62DF-A304-000000006F02}7076C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281439Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:07:49.030{F81F30E6-D97C-62DF-0D00-000000006F02}9123628C:\Windows\system32\svchost.exe{F81F30E6-F3CC-62DF-9E04-000000006F02}6576C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281438Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:07:49.030{F81F30E6-D97C-62DF-0D00-000000006F02}9123628C:\Windows\system32\svchost.exe{F81F30E6-F3CC-62DF-9A04-000000006F02}6844C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281437Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:07:49.030{F81F30E6-D97C-62DF-0D00-000000006F02}9123628C:\Windows\system32\svchost.exe{F81F30E6-F3CC-62DF-9604-000000006F02}7732C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000054306Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:07:50.503{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=039C87181406D63DBB0CB0473B84D8B6,SHA256=9E57CFC868DC2613107722C5A3F66E96B2B911FF213B1C62E96935C004634811,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000281456Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:07:48.100{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local65040-false10.0.1.12-8089- 23542300x8000000000000000281455Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:07:50.329{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA4AAC3C5FFC060A41E14AF93A4DB69D,SHA256=D3CDEBFAB4BAA45EDDC4BB15F4C5C6856F28C9848ECB554EC76558D6EEB5A0FC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000281454Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:07:50.129{F81F30E6-D97C-62DF-0D00-000000006F02}9123628C:\Windows\system32\svchost.exe{F81F30E6-F3CD-62DF-C104-000000006F02}2812C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281453Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:07:50.129{F81F30E6-D97C-62DF-0D00-000000006F02}9123628C:\Windows\system32\svchost.exe{F81F30E6-F3CD-62DF-C004-000000006F02}1916C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281452Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:07:50.129{F81F30E6-D97C-62DF-0D00-000000006F02}9123628C:\Windows\system32\svchost.exe{F81F30E6-F3CD-62DF-BF04-000000006F02}6668C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281451Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:07:50.129{F81F30E6-D97C-62DF-0D00-000000006F02}9123628C:\Windows\system32\svchost.exe{F81F30E6-F3CD-62DF-BE04-000000006F02}2412C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281450Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:07:50.129{F81F30E6-D97C-62DF-0D00-000000006F02}9123628C:\Windows\system32\svchost.exe{F81F30E6-F3CD-62DF-BD04-000000006F02}6524C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281449Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:07:50.129{F81F30E6-D97C-62DF-0D00-000000006F02}9123628C:\Windows\system32\svchost.exe{F81F30E6-F3CD-62DF-BC04-000000006F02}7532C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281448Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:07:50.129{F81F30E6-D97C-62DF-0D00-000000006F02}9123628C:\Windows\system32\svchost.exe{F81F30E6-F3CD-62DF-BB04-000000006F02}6536C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281447Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:07:50.129{F81F30E6-D97C-62DF-0D00-000000006F02}9123628C:\Windows\system32\svchost.exe{F81F30E6-F3CC-62DF-B604-000000006F02}7216C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281446Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:07:50.129{F81F30E6-D97C-62DF-0D00-000000006F02}9123628C:\Windows\system32\svchost.exe{F81F30E6-F3CC-62DF-B304-000000006F02}5212C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000054307Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:07:51.597{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9E7EB2B9E5C7A6ED252C4B5A8BA2B88,SHA256=DCA6E3733820818F108895D2E88390D8BE55061F4510374C39C2836CE97D199E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000281457Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:07:51.348{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1068309FE8662A5951BC9F1E40C04638,SHA256=EA1F606500722CAC77928D5F94E1E8239C527572A1FAB38CFD9EF491C2114B85,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054308Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:07:52.691{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6AF85E8895079AB3D4266DAF194C6AA9,SHA256=A26A2E9EDCF495AE26CB0F4F98BF93FB828681F134187C62074554873526F9C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000281459Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:07:52.482{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33D95062D599E91E15B51FD4E4A68674,SHA256=B4CCE57AC59D2C1AAC9704496486460FFE9E35FF3CC4406E80E42BF5784B842F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000281458Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:07:49.214{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local65041-false10.0.1.12-8000- 354300x800000000000000054310Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:07:52.184{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal51098-false10.0.1.12-8000- 23542300x800000000000000054309Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:07:53.785{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF6C70522D913022E2D2F780093DFE9D,SHA256=3AB9835B6EC97E2FE039D6D73384BDBDAFD8C2A7703EF2D54D08CC9C01CBAD18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000281460Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:07:53.614{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2461A7886F878432AA808A229FB4F9FB,SHA256=5A62D8C87EFCD7EC163E3FFDDB9289CC530D9D5AB7CB7CFB06CF0F639C3A1B75,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054311Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:07:54.879{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9935DFF2069A18ADE2079376BB9DEBA6,SHA256=17734E76E0D53730FF72991C479E035ACE7ECDA717705A525769D60ADE85B841,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000281461Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:07:54.648{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD0F0B48F049D8F8F6F42FF7B7066F4A,SHA256=B7AA141FE73522B2901B347382CD3927A9FBB1B566891E1B981BE780E48C1F09,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000281462Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:07:55.695{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9EE941107270822D06DCCF6D1B24EEBE,SHA256=9832733AC5256EB2CCE49C41BA7D271DFEDF8019A2F456932BD23AA7C30C0229,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054312Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:07:55.972{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FFF644FD93A247C92116A1047C5B6EAC,SHA256=E2C0E79C0D81F472B717AE64850149A0149D0075602D5CE68CEAD446F1C4D25B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000281466Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:07:56.845{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B73050004B0DF727C6FEA6AB7243ACA,SHA256=C5C2DAA28EE1CC4313A608E7A5AC7CC9E85E5BC34E757C259DB5D76778E1D50F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000281465Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:07:56.464{F81F30E6-D9BD-62DF-9000-000000006F02}46884812C:\Windows\Explorer.EXE{F81F30E6-DAB4-62DF-BF00-000000006F02}2464C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+cf100|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9824|UNKNOWN(FFFFF80163E5BCD8)|UNKNOWN(FFFFF2A666167E08)|UNKNOWN(FFFFF2A666167F87)|UNKNOWN(FFFFF2A666162611)|UNKNOWN(FFFFF2A666163FDA)|UNKNOWN(FFFFF2A666162296)|UNKNOWN(FFFFF80163B71503)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+d296b|C:\Windows\System32\SHELL32.dll+11971a|C:\Windows\System32\SHCORE.dll+33fbd 10341000x8000000000000000281464Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:07:56.464{F81F30E6-D9BD-62DF-9000-000000006F02}46884812C:\Windows\Explorer.EXE{F81F30E6-DAB4-62DF-BF00-000000006F02}2464C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0f5|C:\Windows\System32\SHELL32.dll+cebe1|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9824|UNKNOWN(FFFFF80163E5BCD8)|UNKNOWN(FFFFF2A666167E08)|UNKNOWN(FFFFF2A666167F87)|UNKNOWN(FFFFF2A666162611)|UNKNOWN(FFFFF2A666163FDA)|UNKNOWN(FFFFF2A666162296)|UNKNOWN(FFFFF80163B71503)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+d296b|C:\Windows\System32\SHELL32.dll+11971a|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000281463Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:07:56.464{F81F30E6-DAB4-62DF-BF00-000000006F02}2464ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RF6c765b.TMPMD5=916C2D93B58C5CBAC8AC3098A059BFC5,SHA256=55953AB8F4BC753693EBC3ACF5A7C00D704055829032829763C3617710DD9C9E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000281469Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:07:55.062{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local65042-false10.0.1.12-8000- 23542300x800000000000000054313Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:07:57.066{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D350E6A4172F5DBA6CA3A385319151A,SHA256=F0EDFDE334074A1F52E2F04966009AE8C95C8C1FFF640B3B36A2FBE805B3D905,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000281468Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:07:57.410{F81F30E6-D97C-62DF-0D00-000000006F02}9123628C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2C00-000000006F02}2668C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281467Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:07:57.410{F81F30E6-D97C-62DF-0D00-000000006F02}9123628C:\Windows\system32\svchost.exe{F81F30E6-DAB4-62DF-BF00-000000006F02}2464C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000054314Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:07:58.160{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2374263DFAA7D9E152BACD7D9CF80D1F,SHA256=69F6D1493712601CD768366342A0FC7C7A6B539E82434A99995C193563379529,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000281470Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:07:58.009{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C945BC4CE4E1AA3999D01CF8D5823441,SHA256=851BB8A0951216232AB78DAFE9757F96306657E935AE4B7F93CEE0639E8F03B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054315Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:07:59.253{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08E83A461A96E2887DE4EBADCBD59AA4,SHA256=8D1BA80C839BB7D7EFD956C95587AFE1E2EEFCA33200B1CB290C21E323A464FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000281471Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:07:59.042{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF0DCB8CB5A2C1121141FCCF1C91EA9C,SHA256=7E82E3887DD838584A780C691187BF39CDA1D7A3C05A8288323F4CD026D12F17,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054317Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:08:00.347{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F91A31A2CEB64F04738FAC138ECDD72,SHA256=5488AE5CC0B3979CB4145A0F35C46554E89D811EF7E4819F0C180329D4B05B5B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000281472Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:08:00.077{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E06CBD0D5F8E5A55AE754F70324E7198,SHA256=4EB6801BA0B5D6E8761F3E8EC0FFCF8708758D19CECCFC1CB9F59F015D58E791,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000054316Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:07:58.215{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal51099-false10.0.1.12-8000- 23542300x800000000000000054318Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:08:01.441{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55679DF5E137FEE4821CFA6DEAF8178B,SHA256=3D1845C8D1E7100CBB6239A2D53D2B23E3F29ABB1A4340A22AB0BEB937481027,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000281474Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:08:01.775{F81F30E6-D98A-62DF-2E00-000000006F02}2780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=4C6E9C3B04F973165426E913601FC1EE,SHA256=1BD4E410B570A49FCA86CA5B47AE2FCBE6E8FA1FDC57A54546AD3A2B659AC387,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000281473Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:08:01.222{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23D39F8E3AB6AB48371AB8C197E893E2,SHA256=9F901007E5187D4B954D1845B1F35E19A66A4382B94FAC68DA4582EE41E7DC33,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054319Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:08:02.535{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F0F9E70ACA9E2FA3CE9EC22EB3DE4F4,SHA256=A6A5782E6637D6521F6289BE95447DD60AB106AEEF73F7E3A730279C5027AC17,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000281475Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:08:02.274{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03D891FD9E3333F8567CD702CF1E1238,SHA256=D908FE090B1004FD91D70E89D7DA73DA6FE664DBEE7C09AD2A70D10E6F4CEEC3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054320Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:08:03.628{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67FD2B873934741FA5310963D38C7778,SHA256=269BE1D38F145EDBA9D1560A01C5708F84D7A53824D1805B077B23484971C83B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000281478Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:08:03.820{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1FE20A0F15DA68D113A44C1D8F54A09D,SHA256=C32644A49BC1DC57157EF96B29F23F48B811E88978600DCC5AB7BAB3C9E0CA54,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000281477Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:08:03.304{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B87FB8CB9BDA5B846A09F88591522CE3,SHA256=8B01184CC61F9F4592C6DDC72E432F484B14B7D572CB5D0894A27ADD18BABCD7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000281476Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:08:00.193{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local65043-false10.0.1.12-8000- 23542300x800000000000000054321Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:08:04.722{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99B059E88721E9B46C8E7C142572C9E5,SHA256=FAC1A9ADD6CE1FD959B1AA154902C6871B8D216B0008FCB7F94AC4682FD355FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000281481Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:08:04.338{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A1DF610BDDF81092E7B3ECF7C9C3FB9,SHA256=F003E075E7CED3817AEA10C097B67646F4FF0FF062F25C3302B3A056898AB59E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000281480Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:08:01.776{F81F30E6-D97A-62DF-0B00-000000006F02}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local65044-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local389ldap 354300x8000000000000000281479Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:08:01.776{F81F30E6-D98A-62DF-2600-000000006F02}2568C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local65044-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local389ldap 23542300x800000000000000054323Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:08:05.816{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BBA1D9478547184A84D185F86BA0716,SHA256=E14A24983DDF474D7D8F129E8A1E2EA402D0887263C5CD25A8A0701CC3E4CFE4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000281482Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:08:05.487{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2D121B624F3E64C1FF49C977EF7AAC6,SHA256=FAFF935EF253A7FB8496504476B52EB81700C44378F979C22402255E609A3565,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000054322Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:08:03.309{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal51100-false10.0.1.12-8000- 23542300x800000000000000054324Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:08:06.910{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=066A6461F5377FF17827C2F2C2A496B7,SHA256=4319639B6CC9297CC8F87449CD9F78C8E6986CA3ED433D8A0D5A6516EF95BAA4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000281483Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:08:06.534{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D4A49F4B815516C586C15E756FFC15F,SHA256=DF2AAECD53349658B5F17B0FC69F99EEBAD6419A7DABB38BE95DFCACC93BFBF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000281484Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:08:07.584{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9533B17170C51A3DA5C1E4281AABB447,SHA256=71645BD2050031D95708AF47EFF947F0648492D044EF1D5D40B13FE05EC86FE5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000281486Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:08:08.632{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1CDDC753CB413A28F6D1B7AC9CBAFF4C,SHA256=F3DFBF28120DCF6176C52E6A4519DD5A384B0070E011DFF95F20A2B08A2A6CDF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054325Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:08:08.003{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0CDE107470DD35C4AE4E735B6168400D,SHA256=2A3BD5630498F1102F13D560E52C56CB6B9D22193FCBF18F055B0B5E89D31459,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000281485Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:08:05.203{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local65045-false10.0.1.12-8000- 23542300x8000000000000000281487Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:08:09.732{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0713B4A6A61ED306C4AAB5BC84DFE1E4,SHA256=8D1A41CE44919A8CEE4CB490E78D298872FB13DA7311394FBD04C87D9CABBB0B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054326Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:08:09.097{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53DCDAAEC0EB1CA678F9A441BF2837D2,SHA256=36B01B28E35D56CB3C369C379EFAEA46E6CF780E05C637BD3AED19C60D872A42,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000281488Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:08:10.766{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DEFAB4EB2ABC0A25738CC0528C6D4016,SHA256=7566382420F38F526AC70F41822E1EFF20C38E9434E4F6BF6C03714BAAF62DF8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054327Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:08:10.191{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44D87433CA72BEB27122E8283D4A41B1,SHA256=4FE850F4F4DBFD4D2E9DC10ED1E4FB90A4D62D96B22A442388D3A35180595623,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000281489Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:08:11.811{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32D1B1EC3F9AD50A0ECB38F6A0FD809A,SHA256=549EFD2A4B214073E54C17CABB87A4864C71E316C7FC9CEA7D55F5FD56BD1B65,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000054329Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:08:09.278{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal51101-false10.0.1.12-8000- 23542300x800000000000000054328Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:08:11.285{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4EE858BCD4B55401AA6AC6DFF365ED7F,SHA256=A165518A6B68AC0DEF6EB6D1524AABB1F82247F29E5DADD153666D79F1ED129F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000281490Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:08:12.848{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB02BC1A31353467D74B18DF05D91848,SHA256=E26B44A824295452A7DAB5BB960E15688E2CF2A3CBCEFEE553B1564004C39D06,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000054358Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:08:12.972{53069400-F54C-62DF-B803-000000007002}37123356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054357Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:08:12.800{53069400-D97E-62DF-2900-000000007002}27802800C:\Windows\system32\conhost.exe{53069400-F54C-62DF-B803-000000007002}3712C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054356Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:08:12.800{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054355Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:08:12.800{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054354Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:08:12.800{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054353Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:08:12.800{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054352Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:08:12.800{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054351Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:08:12.800{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054350Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:08:12.800{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054349Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:08:12.800{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054348Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:08:12.800{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054347Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:08:12.800{53069400-D97C-62DF-0500-000000007002}412540C:\Windows\system32\csrss.exe{53069400-F54C-62DF-B803-000000007002}3712C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000054346Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:08:12.800{53069400-D97D-62DF-1E00-000000007002}19402768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53069400-F54C-62DF-B803-000000007002}3712C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000054345Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:08:12.801{53069400-F54C-62DF-B803-000000007002}3712C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{53069400-D97C-62DF-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000054344Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:08:12.378{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=126371419FF8F92C7992673A3D42AD5D,SHA256=8A92EF4AD57D9AF240F4EF02B8396BADEA264D2634560F92B341D22A68987B82,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000054343Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:08:12.332{53069400-F54C-62DF-B703-000000007002}34083808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054342Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:08:12.128{53069400-D97E-62DF-2900-000000007002}27802800C:\Windows\system32\conhost.exe{53069400-F54C-62DF-B703-000000007002}3408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054341Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:08:12.128{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054340Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:08:12.128{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054339Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:08:12.128{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054338Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:08:12.128{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054337Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:08:12.128{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054336Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:08:12.128{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054335Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:08:12.128{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054334Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:08:12.128{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054333Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:08:12.128{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054332Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:08:12.128{53069400-D97C-62DF-0500-000000007002}412540C:\Windows\system32\csrss.exe{53069400-F54C-62DF-B703-000000007002}3408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000054331Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:08:12.128{53069400-D97D-62DF-1E00-000000007002}19402768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53069400-F54C-62DF-B703-000000007002}3408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000054330Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:08:12.129{53069400-F54C-62DF-B703-000000007002}3408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53069400-D97C-62DF-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000281492Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:08:13.894{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83D72AB07FD7E9EB4432669ED51685CC,SHA256=8441B680D94D05CC0A6BCD66B40C3EF6AB932F2B53DD454DAB990948C57F42BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054373Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:08:13.472{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE70543F373E13DDF829D247F3E90FDD,SHA256=9F2E330FAF9E17315710155A8ECC7A7DFF622F88865D8BE43A7F2DF291DFF021,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000054372Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:08:13.472{53069400-D97E-62DF-2900-000000007002}27802800C:\Windows\system32\conhost.exe{53069400-F54D-62DF-B903-000000007002}736C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054371Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:08:13.472{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054370Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:08:13.472{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054369Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:08:13.472{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054368Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:08:13.472{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054367Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:08:13.472{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054366Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:08:13.472{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054365Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:08:13.472{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054364Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:08:13.472{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054363Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:08:13.472{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054362Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:08:13.472{53069400-D97C-62DF-0500-000000007002}412540C:\Windows\system32\csrss.exe{53069400-F54D-62DF-B903-000000007002}736C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000054361Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:08:13.472{53069400-D97D-62DF-1E00-000000007002}19402768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53069400-F54D-62DF-B903-000000007002}736C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000054360Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:08:13.473{53069400-F54D-62DF-B903-000000007002}736C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53069400-D97C-62DF-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000281491Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:08:11.145{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local65046-false10.0.1.12-8000- 23542300x800000000000000054359Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:08:13.238{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0A763F5EA896A92AA755BD4860B0898F,SHA256=8CA113691CDC679EE8DFA280137B24067AABF1C03DFF43D66950743E37AC1939,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000281493Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:08:14.910{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47E3EFDB3E8B42F04276918EE79AB049,SHA256=7350720B26390AD489B60E777E6B8049C350567B8BC18E6B286D1BB106E5BB79,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054402Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:08:14.832{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=321DA266ACBC90A74679055633CEFD6A,SHA256=2824D000EDD6F4C1A3B6F0B702E860D8042F9A2A8C2999CE80F8840ABB5EDC04,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000054401Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:08:14.816{53069400-F54E-62DF-BB03-000000007002}28523456C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054400Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:08:14.644{53069400-D97E-62DF-2900-000000007002}27802800C:\Windows\system32\conhost.exe{53069400-F54E-62DF-BB03-000000007002}2852C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054399Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:08:14.644{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054398Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:08:14.644{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054397Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:08:14.644{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054396Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:08:14.644{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054395Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:08:14.644{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054394Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:08:14.644{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054393Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:08:14.644{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054392Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:08:14.644{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054391Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:08:14.644{53069400-D97C-62DF-0500-000000007002}4121248C:\Windows\system32\csrss.exe{53069400-F54E-62DF-BB03-000000007002}2852C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000054390Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:08:14.644{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054389Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:08:14.644{53069400-D97D-62DF-1E00-000000007002}19402768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53069400-F54E-62DF-BB03-000000007002}2852C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000054388Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:08:14.645{53069400-F54E-62DF-BB03-000000007002}2852C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53069400-D97C-62DF-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000054387Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:08:14.410{53069400-F54E-62DF-BA03-000000007002}21763516C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054386Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:08:14.144{53069400-D97E-62DF-2900-000000007002}27802800C:\Windows\system32\conhost.exe{53069400-F54E-62DF-BA03-000000007002}2176C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054385Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:08:14.144{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054384Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:08:14.144{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054383Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:08:14.144{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054382Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:08:14.144{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054381Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:08:14.144{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054380Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:08:14.144{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054379Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:08:14.144{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054378Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:08:14.144{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054377Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:08:14.144{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054376Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:08:14.144{53069400-D97C-62DF-0500-000000007002}412540C:\Windows\system32\csrss.exe{53069400-F54E-62DF-BA03-000000007002}2176C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000054375Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:08:14.144{53069400-D97D-62DF-1E00-000000007002}19402768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53069400-F54E-62DF-BA03-000000007002}2176C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000054374Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:08:14.145{53069400-F54E-62DF-BA03-000000007002}2176C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53069400-D97C-62DF-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000281494Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:08:15.946{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A60D800A4AF10B835A62F03FB5ED00D,SHA256=99B1BECA36CD463AF7DEBADE3B7EF7BB7DB272C41947B836F3DFA8AB824EAA58,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000054429Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:08:15.972{53069400-D97E-62DF-2900-000000007002}27802800C:\Windows\system32\conhost.exe{53069400-F54F-62DF-BD03-000000007002}3400C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054428Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:08:15.972{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054427Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:08:15.972{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054426Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:08:15.972{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054425Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:08:15.972{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054424Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:08:15.972{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054423Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:08:15.972{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054422Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:08:15.972{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054421Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:08:15.972{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054420Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:08:15.972{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054419Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:08:15.972{53069400-D97C-62DF-0500-000000007002}412540C:\Windows\system32\csrss.exe{53069400-F54F-62DF-BD03-000000007002}3400C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000054418Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:08:15.972{53069400-D97D-62DF-1E00-000000007002}19402768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53069400-F54F-62DF-BD03-000000007002}3400C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000054417Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:08:15.974{53069400-F54F-62DF-BD03-000000007002}3400C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53069400-D97C-62DF-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000054416Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:08:15.972{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA8F3F7E1429F4A8F02F2DF5FA08AB16,SHA256=751D648BA651C7C92B8AE630D9F41081A2E14485D17CD94B900F89CC60AE33A2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000054415Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:08:15.316{53069400-D97E-62DF-2900-000000007002}27802800C:\Windows\system32\conhost.exe{53069400-F54F-62DF-BC03-000000007002}3844C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054414Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:08:15.316{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054413Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:08:15.316{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054412Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:08:15.316{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054411Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:08:15.316{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054410Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:08:15.316{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054409Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:08:15.316{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054408Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:08:15.316{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054407Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:08:15.316{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054406Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:08:15.316{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054405Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:08:15.316{53069400-D97C-62DF-0500-000000007002}4121248C:\Windows\system32\csrss.exe{53069400-F54F-62DF-BC03-000000007002}3844C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000054404Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:08:15.316{53069400-D97D-62DF-1E00-000000007002}19402768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53069400-F54F-62DF-BC03-000000007002}3844C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000054403Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:08:15.317{53069400-F54F-62DF-BC03-000000007002}3844C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53069400-D97C-62DF-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000281495Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:08:16.992{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7D7A62038A048BD2A906A657DD7CBA4,SHA256=2E74CAF16F423DA1F9E6F45A377AD8EC4D325C9D7B60A709369A0D72D665E5B0,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000054430Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:08:15.168{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal51102-false10.0.1.12-8000- 23542300x800000000000000054432Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:08:17.457{53069400-D97D-62DF-1E00-000000007002}1940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=F1E8BD657EBD2F0E8E42862B44A2EF00,SHA256=1E64ACA7154107C9E8B10003BD1AD6026F8984588BD097D4BC56BD266DF7A7D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054431Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:08:17.113{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7C9FECABFE590918A6147D8C594A573,SHA256=3AB06F0894DCBB7C34C3BAA76AC0518537894C06021F984F649E9360213D3211,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000281497Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:08:16.178{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local65047-false10.0.1.12-8000- 23542300x8000000000000000281496Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:08:18.124{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0EB12641537DD8C2ACDB4543DDD3D7F,SHA256=9014B6EE4319DBCE719857C5EBBF52338306E48261B8F9CAE7596E1C43EDACE4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054433Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:08:18.207{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8FCB843A933B6A117DC39CCF21A375BB,SHA256=3F2B868AF8B6ABF58EB48F077DD42291D75633C941DE093A5361008026C314DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054434Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:08:19.300{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=733A539D83E6F474C52B04DBF03E2996,SHA256=1832CC0D5B817976F775F9316FB1088F9FA89D2621D040201D7314D6E250ACD0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000281498Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:08:19.175{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B9984B22806C2AE65F51C68E46BF406,SHA256=2BE5F66F7174EE849D79E15AB1A5EA101FB2F4F9E0C069430C004E5B1BCBAAA3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054435Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:08:20.394{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2FEB37A2F44C8195D90C30DA1134A2C1,SHA256=147412F11B56135A6F72088287B16DC7A1BC3F1F7254F1E8A7DB45061A2CD61C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000281499Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:08:20.222{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A0C676486594C4DD2C1D6E69BEDF334,SHA256=E804E4FB98B85906A4E77E9EEE0104D52153F1B1094B6228ACBA9559A8F14B61,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054436Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:08:21.488{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6A02E88F7A712F26D411B1FF24EC5F3,SHA256=3ED46D8367B11D48808B59999A24CF04F173B47E46E8846770685B194A8EBAC6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000281500Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:08:21.272{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=273B8E9DE7A009A04B50204EB08A3FE7,SHA256=35D738FF51AE8C3D0803A0D2C9ABB7DF0747B34C59CCC34551BA36ABB5E86DB4,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000054438Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:08:21.121{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal51103-false10.0.1.12-8000- 23542300x800000000000000054437Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:08:22.582{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BE46807E0CBEE93B7B2FBFA1A43F87B,SHA256=ACD57ACADE1C1B5C3859BD5039233DD47FA3BB7979FD0FEA03566CA9C52A7EAA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000281501Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:08:22.387{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8AA9A8B349441949895700969F036939,SHA256=7B46A1BB39EDFAE6760D67B491A704E9CDACDAFE2BA699783FDF55E9F7D44469,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054439Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:08:23.675{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5BA408A4D8510F365CF65F3477387F2,SHA256=C268C50F4DF19E0EF289D6EE41F0D7E25140DEFC6112E78150C8653E0739130C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000281502Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:08:23.419{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31EC1A3AE2FECBC149E1DBC4C29B77C9,SHA256=02E18C0B72CBC47D183651EEDDC31EADCA06F5129DF55252ABB0A22B69D960CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054440Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:08:24.769{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59D52DF23DE0809A09A034339B04581D,SHA256=1A958D844A29EDB28F1F7E4940E1C8218B9AAA6BFA2505962FB4939154B9F01B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000281503Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:08:24.454{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED9276B1BEF370BFBCA86748B77DC3EA,SHA256=01CB626281752E825D23D4ECE5F827A6DB7A47DC9FB83199D641CD7109A3AB2F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054441Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:08:25.863{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB49EB5DD1764B65F6C18626E84AC244,SHA256=F1F5DBA501B0F4B8F3098C1519445C41A78D2D655155D6EBE3017CF3E5D7E5DD,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000281505Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:08:22.158{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local65048-false10.0.1.12-8000- 23542300x8000000000000000281504Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:08:25.487{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB3DFC7AD5CC6877890413ED2A53BC0C,SHA256=2BF3EB1D2CD5C5C054F9B5A942D0C11DF7F4D5E24CE0FE3F663D41621AADDF4C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054442Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:08:26.957{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F85079E123A652315ABC90019ECF138E,SHA256=A70307D75F3EC56EEB3C1DA6308E19305F9AC36E7D170347ABD433DFDD1A584E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000281506Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:08:26.538{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F629D735F75EBCA945676E0F8EBD8C3,SHA256=CC1F021F38A58B425A26CA9D24286DF8961C3F465C659784F72882F5146D12C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000281507Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:08:27.568{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C3CDE0C8DA9E199F9CA048B8CBE8ED9,SHA256=4CB79E425A27E1A15B491026AF061FF82D1F8E5C75EF89340F73DC1DF53DCF9B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000054443Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:08:26.168{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal51104-false10.0.1.12-8000- 23542300x8000000000000000281508Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:08:28.616{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE8FA7C3535A3F8AE793A00F33365D5B,SHA256=F85D45D6AE1928BD89C8499A37E61D2889AD64B765E3F913BD31119F62056A10,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054444Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:08:28.050{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE03E5218D1533A472710710377E516A,SHA256=2CEA3D00BD91102A71D306C1E7B9EA1C169291F43271BEA168FDE2CAB9C4FE30,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000281511Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:08:27.218{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local65049-false10.0.1.12-8000- 23542300x8000000000000000281510Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:08:29.753{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2FE2283008C68517669B5F4D29BECCA2,SHA256=6A80046EEF0BDA654E880A75E32F852F49DB5D6303FDED9AD526DE9785188826,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000281509Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:08:29.637{F81F30E6-D97C-62DF-0D00-000000006F02}9123628C:\Windows\system32\svchost.exe{F81F30E6-F3F4-62DF-C404-000000006F02}8188C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000054445Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:08:29.144{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B5061255526C2B72FB9FA316B300FC0,SHA256=9822F34D4D7C4B4558399F09634F64ABB1F10173F33242730DD9E665B36FBD32,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000281512Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:08:30.683{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBEC2496B03232AAC26F7839E82AEC77,SHA256=38442363C37106BF51EAE7BD7008DA4BCA454A0B7A243F60A9ACCFD70B3A00AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054446Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:08:30.238{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11EA3BF49AA4A07878A4B85F2A2E6B2C,SHA256=CA1944687DDE1B3587673E0A66D724A323840B59FE69EF255C86CC112D0D42B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000281515Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:08:31.798{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=403EAEA12ED9A474EB5B24871C8B9838,SHA256=F721412908ABFEBE9669DC70D363EFF20228201A4AEBCBD04E5DE83206801B7B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054448Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:08:31.804{53069400-D97D-62DF-1C00-000000007002}1896NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0923b0b66bc46ec04\channels\health\respondent-20220726120936-115MD5=F10909D358012860607A88999540BE61,SHA256=618099B8C52552D13629F748BAC7127C20F9D45615160D64360388A771E36D7B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054447Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:08:31.333{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7B80EC4A9EA7843E82D31A83F469502,SHA256=E6DDE4DBE0702D5F5DC7E05B3829FD281322094403F75A4D75F1B358B8AF1D37,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000281514Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:08:31.251{F81F30E6-D97C-62DF-0D00-000000006F02}9123628C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000281513Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:08:31.036{F81F30E6-D98A-62DF-2E00-000000006F02}2780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=F79EA42EB3C66F923F2EA01FE92E80C4,SHA256=5684D64B072ADDD88C78BABFAC88E7CD34E0B8EA2F5492957BFB4FA95C2DD3DC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000281534Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:08:32.982{F81F30E6-F560-62DF-7405-000000006F02}46489576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000281533Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:08:32.819{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4DDD2AD4B75B4B28D12AB16F81E0F871,SHA256=7E251B99197509527FDF0A128298FC761F8F8CB123317B622654B234CEA6FDBD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054450Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:08:32.813{53069400-D97D-62DF-1C00-000000007002}1896NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0923b0b66bc46ec04\channels\health\surveyor-20220726120934-116MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054449Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:08:32.421{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F1673AA346BDEC5DC0A9A97382E3261,SHA256=227A8F99E432B44A3B8BD7061FCFCF48A3D854717177D905224ABD66062A2659,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000281532Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:08:32.797{F81F30E6-D98B-62DF-3600-000000006F02}31323152C:\Windows\system32\conhost.exe{F81F30E6-F560-62DF-7405-000000006F02}4648C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281531Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:08:32.797{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281530Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:08:32.797{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281529Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:08:32.797{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281528Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:08:32.797{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281527Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:08:32.797{F81F30E6-D97A-62DF-0500-000000006F02}412540C:\Windows\system32\csrss.exe{F81F30E6-F560-62DF-7405-000000006F02}4648C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000281526Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:08:32.797{F81F30E6-D98A-62DF-2E00-000000006F02}27803956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F81F30E6-F560-62DF-7405-000000006F02}4648C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000281525Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:08:32.798{F81F30E6-F560-62DF-7405-000000006F02}4648C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F81F30E6-D97A-62DF-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000281524Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:08:32.297{F81F30E6-F560-62DF-7305-000000006F02}96321220C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281523Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:08:32.118{F81F30E6-D98B-62DF-3600-000000006F02}31323152C:\Windows\system32\conhost.exe{F81F30E6-F560-62DF-7305-000000006F02}9632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281522Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:08:32.116{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281521Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:08:32.116{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281520Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:08:32.116{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281519Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:08:32.116{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281518Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:08:32.116{F81F30E6-D97A-62DF-0500-000000006F02}412428C:\Windows\system32\csrss.exe{F81F30E6-F560-62DF-7305-000000006F02}9632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000281517Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:08:32.115{F81F30E6-D98A-62DF-2E00-000000006F02}27803956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F81F30E6-F560-62DF-7305-000000006F02}9632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000281516Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:08:32.115{F81F30E6-F560-62DF-7305-000000006F02}9632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{F81F30E6-D97A-62DF-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000281544Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:08:33.850{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67BCDC27CC3CDC4C92D44F99A923B9D1,SHA256=39F79BAF78BEDD5DCCE70701EA13C0BA2AE5016190BB7873C4396C603F91A246,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054451Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:08:33.515{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=303A3AB52C7AA83A54B764B2A01389F1,SHA256=8C7CF3ADA82614809F4275D94A6675E92E9E97EFB876BE9AA1EEA291920DBE5E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000281543Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:08:33.466{F81F30E6-D98B-62DF-3600-000000006F02}31323152C:\Windows\system32\conhost.exe{F81F30E6-F561-62DF-7505-000000006F02}3084C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281542Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:08:33.466{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281541Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:08:33.466{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281540Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:08:33.466{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281539Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:08:33.466{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281538Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:08:33.466{F81F30E6-D97A-62DF-0500-000000006F02}412540C:\Windows\system32\csrss.exe{F81F30E6-F561-62DF-7505-000000006F02}3084C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000281537Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:08:33.466{F81F30E6-D98A-62DF-2E00-000000006F02}27803956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F81F30E6-F561-62DF-7505-000000006F02}3084C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000281536Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:08:33.467{F81F30E6-F561-62DF-7505-000000006F02}3084C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F81F30E6-D97A-62DF-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000281535Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:08:33.235{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3F821EAC7A0A7B4B00AD750A182AE381,SHA256=DE8E84241CB05993C29E51EAD164059A27EB395EC2AB5E553FD1028338125C46,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000281563Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:08:34.965{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B2AF2F6EB8D556AB5FCC7078910D024,SHA256=F5D210E81A37D26FA1B098444A0685C0FFFB8BCEBDC8A0A81CA93F1CB72CABE3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054454Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:08:34.609{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9AA8040FB03CD33C79934A74E34044C,SHA256=C68C9A52000DB0733DA358708A69C35351C87F2BA811B9E12D19B6F09BB2D6C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000281562Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:08:34.849{F81F30E6-D97C-62DF-1000-000000006F02}448NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=1193D11DBFD2A203F49B11886161F06A,SHA256=1AAB980FFE2D6BF62C04ACA80B4C1B1892B95487F7270374C1E319EE29B35BA0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000281561Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:08:34.816{F81F30E6-D98B-62DF-3600-000000006F02}31323152C:\Windows\system32\conhost.exe{F81F30E6-F562-62DF-7705-000000006F02}11188C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281560Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:08:34.814{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281559Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:08:34.814{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281558Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:08:34.814{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281557Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:08:34.814{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281556Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:08:34.813{F81F30E6-D97A-62DF-0500-000000006F02}41292C:\Windows\system32\csrss.exe{F81F30E6-F562-62DF-7705-000000006F02}11188C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000281555Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:08:34.813{F81F30E6-D98A-62DF-2E00-000000006F02}27803956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F81F30E6-F562-62DF-7705-000000006F02}11188C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000281554Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:08:34.813{F81F30E6-F562-62DF-7705-000000006F02}11188C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F81F30E6-D97A-62DF-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000281553Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:08:34.367{F81F30E6-F562-62DF-7605-000000006F02}76127424C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281552Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:08:34.134{F81F30E6-D98B-62DF-3600-000000006F02}31323152C:\Windows\system32\conhost.exe{F81F30E6-F562-62DF-7605-000000006F02}7612C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281551Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:08:34.134{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281550Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:08:34.134{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281549Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:08:34.134{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281548Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:08:34.134{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281547Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:08:34.134{F81F30E6-D97A-62DF-0500-000000006F02}412540C:\Windows\system32\csrss.exe{F81F30E6-F562-62DF-7605-000000006F02}7612C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000281546Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:08:34.134{F81F30E6-D98A-62DF-2E00-000000006F02}27803956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F81F30E6-F562-62DF-7605-000000006F02}7612C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000281545Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:08:34.135{F81F30E6-F562-62DF-7605-000000006F02}7612C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F81F30E6-D97A-62DF-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000054453Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:08:34.109{53069400-D97D-62DF-1100-000000007002}980NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=C38DF236F8B70DCF7AB27AA914A26318,SHA256=392B571CE25A8D7FEDD0237191B0C0FF5A36E8A1F59A15BB6A23E1802DD95663,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000054452Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:08:32.164{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal51105-false10.0.1.12-8000- 23542300x8000000000000000281583Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:08:35.981{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C5DDE57229C7D486EF6C19E645F7903,SHA256=BBD5A3EB3CE7F1F4EB19D4D93841E3B7B6D698753507679037225BC1DBA02D4F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054455Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:08:35.702{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60E0F2EA348CF5DC54C4D8C5307E79E0,SHA256=522B1FBC075068A6DC61702AE9C75CC3A2A8B3AFF5845564CBBA112CD099C266,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000281582Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:08:35.682{F81F30E6-F563-62DF-7805-000000006F02}107768564C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281581Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:08:35.482{F81F30E6-D98B-62DF-3600-000000006F02}31323152C:\Windows\system32\conhost.exe{F81F30E6-F563-62DF-7805-000000006F02}10776C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281580Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:08:35.482{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281579Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:08:35.482{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281578Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:08:35.482{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281577Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:08:35.482{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281576Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:08:35.482{F81F30E6-D97A-62DF-0500-000000006F02}412540C:\Windows\system32\csrss.exe{F81F30E6-F563-62DF-7805-000000006F02}10776C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000281575Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:08:35.482{F81F30E6-D98A-62DF-2E00-000000006F02}27803956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F81F30E6-F563-62DF-7805-000000006F02}10776C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000281574Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:08:35.483{F81F30E6-F563-62DF-7805-000000006F02}10776C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F81F30E6-D97A-62DF-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000281573Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:08:35.181{F81F30E6-D97C-62DF-0D00-000000006F02}9123628C:\Windows\system32\svchost.exe{F81F30E6-F3FA-62DF-F104-000000006F02}8692C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281572Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:08:35.181{F81F30E6-D97C-62DF-0D00-000000006F02}9123628C:\Windows\system32\svchost.exe{F81F30E6-F3FA-62DF-EE04-000000006F02}8600C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281571Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:08:35.181{F81F30E6-D97C-62DF-0D00-000000006F02}9123628C:\Windows\system32\svchost.exe{F81F30E6-F3FA-62DF-EB04-000000006F02}8508C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281570Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:08:35.181{F81F30E6-D97C-62DF-0D00-000000006F02}9123628C:\Windows\system32\svchost.exe{F81F30E6-F3FA-62DF-E804-000000006F02}8420C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281569Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:08:35.181{F81F30E6-D97C-62DF-0D00-000000006F02}9123628C:\Windows\system32\svchost.exe{F81F30E6-F3FA-62DF-E504-000000006F02}8328C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281568Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:08:35.181{F81F30E6-D97C-62DF-0D00-000000006F02}9123628C:\Windows\system32\svchost.exe{F81F30E6-F3FA-62DF-E104-000000006F02}8224C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281567Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:08:35.181{F81F30E6-D97C-62DF-0D00-000000006F02}9123628C:\Windows\system32\svchost.exe{F81F30E6-F3FA-62DF-DE04-000000006F02}2984C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281566Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:08:35.181{F81F30E6-D97C-62DF-0D00-000000006F02}9123628C:\Windows\system32\svchost.exe{F81F30E6-F3FA-62DF-D904-000000006F02}6420C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281565Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:08:35.181{F81F30E6-D97C-62DF-0D00-000000006F02}9123628C:\Windows\system32\svchost.exe{F81F30E6-F3FA-62DF-D404-000000006F02}3052C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281564Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:08:35.181{F81F30E6-D97C-62DF-0D00-000000006F02}9123628C:\Windows\system32\svchost.exe{F81F30E6-F3FA-62DF-CF04-000000006F02}8108C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000054456Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:08:36.796{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57B256D803B89AADF9B813AB6D26F71A,SHA256=EF5B05CC8D77DD942C3E854DD37BAAB8DC30D9DD4F788A20BEF8EF602AF4A42E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000281602Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:08:36.266{F81F30E6-D97C-62DF-0D00-000000006F02}9123628C:\Windows\system32\svchost.exe{F81F30E6-F3FB-62DF-0605-000000006F02}9232C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281601Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:08:36.266{F81F30E6-D97C-62DF-0D00-000000006F02}9123628C:\Windows\system32\svchost.exe{F81F30E6-F3FB-62DF-0505-000000006F02}9180C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281600Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:08:36.266{F81F30E6-D97C-62DF-0D00-000000006F02}9123628C:\Windows\system32\svchost.exe{F81F30E6-F3FB-62DF-0405-000000006F02}8256C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281599Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:08:36.266{F81F30E6-D97C-62DF-0D00-000000006F02}9123628C:\Windows\system32\svchost.exe{F81F30E6-F3FB-62DF-0305-000000006F02}8552C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281598Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:08:36.266{F81F30E6-D97C-62DF-0D00-000000006F02}9123628C:\Windows\system32\svchost.exe{F81F30E6-F3FB-62DF-0205-000000006F02}9208C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281597Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:08:36.266{F81F30E6-D97C-62DF-0D00-000000006F02}9123628C:\Windows\system32\svchost.exe{F81F30E6-F3FB-62DF-0105-000000006F02}9160C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281596Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:08:36.266{F81F30E6-D97C-62DF-0D00-000000006F02}9123628C:\Windows\system32\svchost.exe{F81F30E6-F3FB-62DF-0005-000000006F02}9112C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281595Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:08:36.266{F81F30E6-D97C-62DF-0D00-000000006F02}9123628C:\Windows\system32\svchost.exe{F81F30E6-F3FB-62DF-FD04-000000006F02}9020C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281594Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:08:36.266{F81F30E6-D97C-62DF-0D00-000000006F02}9123628C:\Windows\system32\svchost.exe{F81F30E6-F3FB-62DF-F904-000000006F02}8904C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281593Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:08:36.266{F81F30E6-D97C-62DF-0D00-000000006F02}9123628C:\Windows\system32\svchost.exe{F81F30E6-F3FB-62DF-F604-000000006F02}8804C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281592Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:08:36.166{F81F30E6-D98B-62DF-3600-000000006F02}31323152C:\Windows\system32\conhost.exe{F81F30E6-F564-62DF-7905-000000006F02}8708C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281591Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:08:36.166{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281590Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:08:36.166{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281589Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:08:36.166{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281588Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:08:36.166{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281587Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:08:36.166{F81F30E6-D97A-62DF-0500-000000006F02}412428C:\Windows\system32\csrss.exe{F81F30E6-F564-62DF-7905-000000006F02}8708C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000281586Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:08:36.166{F81F30E6-D98A-62DF-2E00-000000006F02}27803956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F81F30E6-F564-62DF-7905-000000006F02}8708C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000281585Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:08:36.167{F81F30E6-F564-62DF-7905-000000006F02}8708C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F81F30E6-D97A-62DF-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000281584Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:08:33.053{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local65050-false10.0.1.12-8000- 23542300x800000000000000054457Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:08:37.890{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=554538203D5FFAD4BC0A3592366A1E4F,SHA256=373D61262F9095D510854CCAB215573E371319B7B30A52A0743B79E8B57406AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000281603Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:08:37.018{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=803EE590C2E8B8B393A923E01E178DA7,SHA256=0F9773AB8F7961F6F43580590BA5664B416EC6E6072E6B286CC4AB306F5C3C44,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054458Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:08:38.984{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1CB100DA282B1025DE45C6B77EA4AEC,SHA256=A14B9EB0149283D1318E43048138661C86AEFBB7D36CF1129E60B8207032B1D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000281604Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:08:38.049{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=466B5B49A0C383D7657E082E1B53D03C,SHA256=7121AA115B26EE96906BFEDE6BD8BC107D21763D367C64AC2DF8290B68FA9DD9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000281606Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:08:39.510{F81F30E6-D97C-62DF-0D00-000000006F02}9123628C:\Windows\system32\svchost.exe{F81F30E6-F3FE-62DF-0A05-000000006F02}9408C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000281605Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:08:39.195{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6A0BA47E6E46E65C59B53A00335B172,SHA256=87B53BCCC4AB454D48F8A0FDA28BBDA35E1D8705B681CCC9E7F6B311659CE6E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000054459Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:08:37.242{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal51106-false10.0.1.12-8000- 23542300x800000000000000054460Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:08:40.077{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5538A2EA2913FC46A8CB3BC50762D5DD,SHA256=28B8CD70D3C64198FCD9B41B8560E4C0EE3C1F1CF87A3584A348C1DF7AF97E04,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000281608Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:08:38.267{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local65051-false10.0.1.12-8000- 23542300x8000000000000000281607Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:08:40.231{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB2822B3E92C5C6D82F315150482EC3F,SHA256=0F071BDF8E6C42693553DCDC73EE3C72CB6B5BA94094A9CEE44B9816F06AA3B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000281609Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:08:41.262{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA7041C997910AB4DE1406827178530E,SHA256=BD8ACEFB3446AA20B6FC98E8865766C7C71768EF9A926920A887EAE2C5D9B017,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054461Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:08:41.171{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE814F3408B7F975C7EF96B1548D0859,SHA256=ACC6A2FB726A83AE608A98550396CD78418C1802326F629461B8F9CFB7E62EF5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000281618Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:08:42.476{F81F30E6-D97C-62DF-0D00-000000006F02}9123628C:\Windows\system32\svchost.exe{F81F30E6-F402-62DF-2B05-000000006F02}9304C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281617Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:08:42.476{F81F30E6-D97C-62DF-0D00-000000006F02}9123628C:\Windows\system32\svchost.exe{F81F30E6-F402-62DF-2805-000000006F02}10172C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281616Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:08:42.476{F81F30E6-D97C-62DF-0D00-000000006F02}9123628C:\Windows\system32\svchost.exe{F81F30E6-F402-62DF-2505-000000006F02}10096C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281615Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:08:42.476{F81F30E6-D97C-62DF-0D00-000000006F02}9123628C:\Windows\system32\svchost.exe{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281614Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:08:42.476{F81F30E6-D97C-62DF-0D00-000000006F02}9123628C:\Windows\system32\svchost.exe{F81F30E6-F401-62DF-2005-000000006F02}9976C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281613Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:08:42.476{F81F30E6-D97C-62DF-0D00-000000006F02}9123628C:\Windows\system32\svchost.exe{F81F30E6-F401-62DF-1C05-000000006F02}9860C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281612Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:08:42.476{F81F30E6-D97C-62DF-0D00-000000006F02}9123628C:\Windows\system32\svchost.exe{F81F30E6-F401-62DF-1805-000000006F02}9756C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281611Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:08:42.476{F81F30E6-D97C-62DF-0D00-000000006F02}9123628C:\Windows\system32\svchost.exe{F81F30E6-F401-62DF-1305-000000006F02}9636C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000281610Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:08:42.409{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=386684BDA1D39739C890C9343BB65AE2,SHA256=0837C18C9C2A30232C17CF0DB202FCFCA857BB8FEBDC86183ECB6B2C724000BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054462Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:08:42.265{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E74E7BE59368D328825D5CD4D23E0B49,SHA256=D1389A7698CE6D9154C083D80C9282926B894A4611FECCDDE665FEF33EA3E76B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000281628Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:08:43.559{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F0CA2532A268097FDF7871275211C99,SHA256=3BF3370ACE32C5F8506177EA91AD8085D99A2BA7D7CD0A65521E0D58B5124E83,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000281627Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:08:43.559{F81F30E6-D97C-62DF-0D00-000000006F02}9123628C:\Windows\system32\svchost.exe{F81F30E6-F402-62DF-3A05-000000006F02}10356C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281626Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:08:43.559{F81F30E6-D97C-62DF-0D00-000000006F02}9123628C:\Windows\system32\svchost.exe{F81F30E6-F402-62DF-3905-000000006F02}10320C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281625Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:08:43.559{F81F30E6-D97C-62DF-0D00-000000006F02}9123628C:\Windows\system32\svchost.exe{F81F30E6-F402-62DF-3805-000000006F02}10280C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281624Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:08:43.559{F81F30E6-D97C-62DF-0D00-000000006F02}9123628C:\Windows\system32\svchost.exe{F81F30E6-F402-62DF-3705-000000006F02}5056C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281623Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:08:43.559{F81F30E6-D97C-62DF-0D00-000000006F02}9123628C:\Windows\system32\svchost.exe{F81F30E6-F402-62DF-3605-000000006F02}9908C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281622Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:08:43.559{F81F30E6-D97C-62DF-0D00-000000006F02}9123628C:\Windows\system32\svchost.exe{F81F30E6-F402-62DF-3505-000000006F02}8656C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281621Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:08:43.559{F81F30E6-D97C-62DF-0D00-000000006F02}9123628C:\Windows\system32\svchost.exe{F81F30E6-F402-62DF-3405-000000006F02}7392C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281620Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:08:43.559{F81F30E6-D97C-62DF-0D00-000000006F02}9123628C:\Windows\system32\svchost.exe{F81F30E6-F402-62DF-3105-000000006F02}5180C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281619Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:08:43.559{F81F30E6-D97C-62DF-0D00-000000006F02}9123628C:\Windows\system32\svchost.exe{F81F30E6-F402-62DF-2E05-000000006F02}8156C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000054464Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:08:42.273{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal51107-false10.0.1.12-8000- 23542300x800000000000000054463Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:08:43.359{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=020C58215C6D1DF39C174BD528404CAA,SHA256=948B11D17A194F5E0826F485BBF3D5A7217574774CA4E58AB5948B02A01EE291,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000281629Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:08:44.612{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=984485FB7D54BB84B5EEAE8DA55B65EE,SHA256=4F8AF0F197B4EE41B3F75CCC76D12015DD78307C11A3435ED1708759556BC4FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054465Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:08:44.452{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9E9E97BC95134183756324FF4157ACB,SHA256=271AA22CB54B7A9FE1B0D3361E886C3FEFFBD0637E935E63BCB9E721B7237A2D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000281640Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:08:45.744{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281639Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:08:45.744{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000281638Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:08:45.645{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9DD4EA878CE4E47458986DC022F5F32A,SHA256=76C831D32F4A1EABB02909AFAC054CF1B3B983BF89256FB85158D990DAF58037,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054466Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:08:45.546{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8FE879A497A31013F1D87BA8C1F03E3,SHA256=55F1727E19C2F49230568C032E4651C8250D6C651F89240DD2A481E9D3449BE3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000281637Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:08:45.313{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281636Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:08:45.311{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281635Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:08:45.311{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281634Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:08:45.310{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281633Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:08:45.307{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281632Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:08:45.307{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281631Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:08:45.307{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281630Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:08:45.307{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000281643Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:08:46.775{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B08A3CB72A700952150D0A807E5224E,SHA256=3DA9F33C1AF4FD6653EFCEA9B88A976BCCDE1167B490760D7ECCD08C43550864,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054468Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:08:46.640{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72C7F1E99F249C56EC8663BB913931E3,SHA256=80AE690627DC9ED292BF86E1A0181F2EBDA2E53C4917411CC3271822BF0C6F8F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000281642Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:08:46.344{F81F30E6-D97C-62DF-0D00-000000006F02}9123628C:\Windows\system32\svchost.exe{F81F30E6-F405-62DF-3D05-000000006F02}10504C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000281641Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:08:46.161{F81F30E6-D98A-62DF-2900-000000006F02}2592NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f0cc84e036a5373b\channels\health\respondent-20220726120948-115MD5=369DD308E953FB115558C25A87FA7436,SHA256=F8D888C61BEF90997E9DA9024DED7AC04FA2757575784335A529296D09245F18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054467Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:08:46.171{53069400-D97D-62DF-1E00-000000007002}1940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=179B82772CA5CC0B7A1E30B10EC3DA68,SHA256=BB39CA45713EEF29F8964A50A9025571F90083A2F6169622A7CAAB4EAC5409CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054471Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:08:47.734{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3677BDE8FC355612D09EE36CE14222FD,SHA256=861DF00D64E16A03CCD75F1FC54598840910FBEA56460956405DFA33E3B1C5AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054470Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:08:47.656{53069400-D97D-62DF-1E00-000000007002}1940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=238AE462C9769FB8F3181C25E5EE7471,SHA256=44646F475D9B75E58DB25EF14E568B848A061A01DAD0FD8F6B6709AD54DEB29B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000281648Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:08:47.944{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281647Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:08:47.944{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000281646Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:08:47.890{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A963040B753CC119D35510D09065FA22,SHA256=A9CF3BA1DE149C3E50064A242C873E3E58A5E20E66E89159C50611396AB871BB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000281645Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:08:44.247{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local65052-false10.0.1.12-8000- 23542300x8000000000000000281644Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:08:47.175{F81F30E6-D98A-62DF-2900-000000006F02}2592NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f0cc84e036a5373b\channels\health\surveyor-20220726120946-116MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000054469Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:08:46.226{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal51108-false10.0.1.12-8089- 23542300x800000000000000054473Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:08:48.718{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A31F4C116496F24C15BAFEE1D3EA4F9D,SHA256=D1AFA957B896BAD1F650E0FD42E95387714C68BECB0AE508CD7BE05FF9CAFB3C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000281649Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:08:48.907{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E46345A1ED964D9D5B196BA1A8972217,SHA256=A7F7412325E2281E53F175DA8069CCE914939E1E7FC3B5CF57ECEA8A53440109,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000054472Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:08:47.289{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal51109-false10.0.1.12-8000- 23542300x800000000000000054474Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:08:49.812{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7CC0BDC84DF4B241F641D4B0218E8AD8,SHA256=B21F4B3329809EB8F6C4BC34669A1BB78D964669DB3114B88EAE050BE2358472,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000281686Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:08:49.626{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2C00-000000006F02}2668C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281685Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:08:49.626{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2C00-000000006F02}2668C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281684Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:08:49.626{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BE-62DF-9400-000000006F02}5104C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281683Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:08:49.626{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BE-62DF-9400-000000006F02}5104C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281682Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:08:49.626{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BE-62DF-9400-000000006F02}5104C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281681Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:08:49.626{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BE-62DF-9300-000000006F02}5000C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281680Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:08:49.626{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BE-62DF-9300-000000006F02}5000C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281679Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:08:49.626{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BE-62DF-9300-000000006F02}5000C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281678Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:08:49.626{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BE-62DF-9300-000000006F02}5000C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281677Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:08:49.626{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BE-62DF-9300-000000006F02}5000C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281676Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:08:49.626{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BE-62DF-9300-000000006F02}5000C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281675Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:08:49.626{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BE-62DF-9300-000000006F02}5000C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281674Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:08:49.626{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BE-62DF-9300-000000006F02}5000C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281673Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:08:49.626{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BE-62DF-9300-000000006F02}5000C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281672Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:08:49.626{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BD-62DF-9000-000000006F02}4688C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281671Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:08:49.626{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BD-62DF-9000-000000006F02}4688C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281670Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:08:49.626{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BD-62DF-9000-000000006F02}4688C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281669Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:08:49.626{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BD-62DF-9000-000000006F02}4688C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281668Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:08:49.626{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BD-62DF-9000-000000006F02}4688C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281667Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:08:49.626{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BD-62DF-9000-000000006F02}4688C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281666Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:08:49.626{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BD-62DF-9000-000000006F02}4688C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281665Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:08:49.626{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BD-62DF-9000-000000006F02}4688C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281664Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:08:49.626{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BD-62DF-9000-000000006F02}4688C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281663Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:08:49.626{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BD-62DF-9000-000000006F02}4688C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281662Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:08:49.626{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BD-62DF-9000-000000006F02}4688C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281661Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:08:49.626{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BD-62DF-9000-000000006F02}4688C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281660Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:08:49.626{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BD-62DF-9000-000000006F02}4688C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281659Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:08:49.626{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BD-62DF-9000-000000006F02}4688C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281658Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:08:49.626{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BD-62DF-9000-000000006F02}4688C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281657Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:08:49.626{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BD-62DF-9000-000000006F02}4688C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281656Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:08:49.626{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BD-62DF-9000-000000006F02}4688C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281655Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:08:49.626{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BD-62DF-9000-000000006F02}4688C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281654Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:08:49.626{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BD-62DF-9000-000000006F02}4688C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281653Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:08:49.626{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BD-62DF-9000-000000006F02}4688C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281652Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:08:49.626{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BD-62DF-9000-000000006F02}4688C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281651Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:08:49.626{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BD-62DF-9000-000000006F02}4688C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000281650Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:08:49.126{F81F30E6-D98A-62DF-2E00-000000006F02}2780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=375770933B088FA1013E9C17F7ACFA9C,SHA256=12DC730ED0C3CEF15E2072F184E79ED116E6C7FEA32581084F03B1ADA228E22B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054475Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:08:50.906{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85A2D457D2B3A523A5579453892D1351,SHA256=F604B2FC2658AFC066ADB7CE9397304824555B511815ADE75D232CDF9CB74A4E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000281687Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:08:50.356{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8584A65B09D25899B17101C70B43405F,SHA256=4D8AEFA1BA3D7B96AF35B7B461D52EF715B186E63416DC8D58164B46962359C2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000281697Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:08:51.855{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-DA3F-62DF-B800-000000006F02}4908C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281696Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:08:51.855{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-DA3F-62DF-B800-000000006F02}4908C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281695Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:08:51.855{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-DA3F-62DF-B800-000000006F02}4908C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281694Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:08:51.855{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-DA3F-62DF-B800-000000006F02}4908C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281693Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:08:51.824{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DA3F-62DF-B800-000000006F02}4908C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281692Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:08:51.824{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DA3F-62DF-B800-000000006F02}4908C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281691Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:08:51.824{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DA3F-62DF-B800-000000006F02}4908C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281690Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:08:51.824{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DA3F-62DF-B800-000000006F02}4908C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000281689Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:08:51.440{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3BF62770391723F5CD04A0F7FFC66F3,SHA256=68ABF459389066F1668EDC88B7C486EE2E803BC43750119D96A202CC1D32261B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000281688Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:08:48.124{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local65053-false10.0.1.12-8089- 23542300x8000000000000000281698Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:08:52.471{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2D0067F620DFCD8806B27929EEBA5A3,SHA256=A75C4124BB491112910E27CFB4A0A6FCCC5EA1865CF83A595D6B52531DE46224,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054476Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:08:51.999{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD21BAAD575A989D76E0BC0DA162A792,SHA256=CEFE8CB96E80165E3D59FF37CEA5AAFB104491F6429F026AA3E56BA18748FD51,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000281700Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:08:53.507{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CCF024C8B1CF79142FA8E43FBD43B0A8,SHA256=DBD34376A5BBA4A783B11F102E4017E4B52CF7EF0A6914F8AFA3C4C110742D60,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000054478Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:08:52.336{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal51110-false10.0.1.12-8000- 23542300x800000000000000054477Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:08:53.093{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8BF706242A0D2BE7D32B33E5AA993E65,SHA256=5CB9D28201F428EDA095DB4BAFA3C80D6F47632169F8B742F3D9EFB106F246E4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000281699Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:08:50.125{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local65054-false10.0.1.12-8000- 23542300x8000000000000000281701Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:08:54.668{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2347077C8EA544FD9C5146904B1344C,SHA256=6BC7ADB502442BB63738CF7F2751FE1D17A0658CDAE5F2FDE434914B7EB311A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054479Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:08:54.187{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52AFFAE5241321EFC112B1E19428878A,SHA256=ACC536AA47D5F26C3D9F3A52F4F425B43E52CC9027C1FD85E568F8F8B38EBD5F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000281703Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:08:55.771{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5DAC59FB0F84087BFD5FB61C1C80FFF,SHA256=659EE48E55E70304BAB690C7FC52FE2E4211678F8F8C260CA0E742C5D039A8FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054480Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:08:55.281{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81CBB341DFD7E2CE3F7C3C40D1D33DB5,SHA256=EC129F85CD302293CD9BBED41740966FED7E1934BD18ACDED29A708E748B5BA2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000281702Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:08:55.472{F81F30E6-D97C-62DF-0D00-000000006F02}9123628C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000281704Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:08:56.823{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DDFF4E20CB4CD579444E5812477C56B8,SHA256=724F1C0CB50CDD8D9173E7193EF82BD9638ABD09C7227DF06E9C9D338ABE8F2C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054481Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:08:56.374{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC7010917DA3156B442B6154CA162853,SHA256=C36711DFACE99D9C4B1DDD2EC50E0A82D43A95E9E5CD8D1FC4D4D167625DD827,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000281705Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:08:57.869{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DEADD18A91FA2EC67E49B9112BA472DF,SHA256=C3EC53C4EE59BB5DC4A8514ED613E6884E487D4189C4AA6C1129C954EE9442EF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054482Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:08:57.468{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C4A4CFAB6A78B9F16308F52C537FCA8,SHA256=B22F713E1325C776FA67C8208270E39E36585E32E26CA81E8F0ED56DC2200BEA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000281715Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:08:58.904{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9354914F584863E7777AF769412321D,SHA256=700D6E3FA5B033BE0BBFA62472AEF17672D2AE519E5054E5DE26A62D7DC00CB6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054483Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:08:58.562{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C045B3D4303E74E61B0B87A90CFFD29C,SHA256=2F05110E20DEDFDC26FEB21BAD8FA6668325B9437F9B9CB718DA42FB6AA2A3C1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000281714Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:08:55.206{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local65055-false10.0.1.12-8000- 10341000x8000000000000000281713Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:08:58.053{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281712Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:08:58.053{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281711Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:08:58.053{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281710Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:08:58.053{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281709Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:08:58.037{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281708Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:08:58.037{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281707Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:08:58.037{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281706Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:08:58.037{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000054485Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:08:58.258{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal51111-false10.0.1.12-8000- 23542300x800000000000000054484Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:08:59.656{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B50A2BB01E4DCF8FB1FBEFA4FA7433A1,SHA256=C34A87D5AD8DDF32F6BAB7CF4F49A164EBAE3E485FDF506AFC453CFBD4F4B2AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054486Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:09:00.749{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07C82E7C81F4D1B30C6AD18BF259775E,SHA256=0C1D17AC6866DFDCC9477BEFF2F5419A397495A6130E868D3FE78908EF59A2E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000281716Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:09:00.037{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC0BA35DF987ADB0F430873546BB5D98,SHA256=92CE1B6517FF309DED49E7F4A15331F5B7390F081772609785EE9AB5B9EF7856,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054487Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:09:01.843{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB56674ECD831AB8B87D3C58A0A06642,SHA256=4CDAA66687ABE3076C99E48F01752FC6F26ECEEEE78CC515BB2B0A1AE393A0B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000281718Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:09:01.321{F81F30E6-D98A-62DF-2E00-000000006F02}2780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=5413039E89B779A462DC749B5A11927B,SHA256=F61E207A8A22F87B51501E7264EC3328B64091D3A76C0A56C6CBD1F63AE824ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000281717Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:09:01.153{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74D3CB30718A88944C8CA434915B8D8D,SHA256=A6CE64C2A46A1BFDC0C1D4C6DC81CF890015E77A43DA7AAF79BE7D60C95FCF52,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054488Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:09:02.937{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C087AF07B38C9C593F104776BD7AED1C,SHA256=35201EBAC0D784DD8842175530D31CABE20951769745D4A0BFCCAA60880F1BB8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000281719Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:09:02.201{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34BC273A2332B463B8B7828043B5948C,SHA256=A1E91871BC0AB1AACB6AA99226ED747FCDA7D66EE726E296E00887858E6C107C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000281722Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:09:03.870{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F394538D2E561ED32BA22BC834822A49,SHA256=5ABB5CBC85BE00E2647DA594ABC29E52EF3B9355C0D8883C574CB838AF59FA14,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000281721Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:09:00.219{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local65056-false10.0.1.12-8000- 23542300x8000000000000000281720Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:09:03.303{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53D5B7212F1D2A4696A121446E93EB8D,SHA256=1324352EF2460DB74A24EF7914954182B95D326E2A39DE12BA27E2377C63AE36,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000281726Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:09:01.787{F81F30E6-D97A-62DF-0B00-000000006F02}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local65057-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local389ldap 354300x8000000000000000281725Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:09:01.787{F81F30E6-D98A-62DF-2600-000000006F02}2568C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local65057-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local389ldap 23542300x8000000000000000281724Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:09:04.339{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9DEC5D65A72E0AF9D5A18A0CEEC4DA57,SHA256=680C547926503DDF19E71A52CA8F4646A870F41428321622117199B9EBE8F4D6,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000054490Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:09:03.320{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal51112-false10.0.1.12-8000- 23542300x800000000000000054489Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:09:04.031{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=108AAC1ECD8C64A70808C6F50BF7D244,SHA256=9B6EAA950D499CAB558F7D2CE99FD35414BEB2F0B181AE441BA57B253B35603D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000281723Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:09:04.154{F81F30E6-D97C-62DF-0D00-000000006F02}9123628C:\Windows\system32\svchost.exe{F81F30E6-F417-62DF-4005-000000006F02}10696C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000281727Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:09:05.469{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2EDD4ABA364B9D43A4E13644971473B4,SHA256=47334347FA80F647B782C6D48996B18896CAA2AAFD41C5C6D4B3E29D4E88FF60,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054491Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:09:05.124{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8E6DC040DF2A475136167668DC56CE1,SHA256=D31A376FC233AC8E3404E991DC2EC5A6197605822784E536F6E8C010676A7704,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000281728Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:09:06.521{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5F2799E84FB147D09CABB0F120D314C,SHA256=DB4C07F454714204FE34B80E0C07A9C343D6A3716F3EB46D8E950E18BD21CD54,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054492Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:09:06.218{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5BF46CDA2CF573CE7F9EE120B0D7397,SHA256=30F62A2692DF2012991929D3D9A674E4BFABCFBB3CDB2AB8706A9B27A3E44F89,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000281729Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:09:07.552{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70CCA67FDF87B7949347F85B6F90809B,SHA256=6B8352EBE8FD262AB19EB37A57C4CA70AC45C26EDE6CF714A884BE099D00FA38,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054493Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:09:07.312{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91904DBE3F6835F039804446EC1EA98A,SHA256=C198E2BF70E07E5A4F1C5FB392E4845722E3D553025B8380A0D861370450A895,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000281731Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:09:08.682{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8BA89A485768E181C772986A9F207C37,SHA256=7E60517C35046BC9024E81DAFA606C90ACED1362DE5FCBD9FCA7DA8BEB05A2CD,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000281730Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:09:06.240{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local65058-false10.0.1.12-8000- 23542300x800000000000000054494Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:09:08.406{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=454FD278EE6D45FBBB1C68E82CF9DF66,SHA256=FA79829386F76735CC373F3C98EEBD09E500FAA3C035998EB6E1FE6FABF27797,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000281732Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:09:09.819{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53C962C6425251FBE21DF9BE0004FA9C,SHA256=05CBB983D4D1EE8AFD07E4186499F04E8296996A9B5A631F8D601000614C38E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054495Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:09:09.499{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10BB0B0AAE6CDBDF80F5A83562C573C6,SHA256=7E27C4F1C72ADBE747FC32267BDAD8B42C85B680FBB12B269E134A94A2BFEA90,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000281734Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:09:10.920{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF5136228D3BB55AF6F6613EF3335C27,SHA256=32C005B13384E8945849D63E77481DED0DB2C8443597EFA02F10234C6384C09E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000054497Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:09:09.304{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal51113-false10.0.1.12-8000- 23542300x800000000000000054496Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:09:10.593{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39EC884ABA781F1BA61AE4F5D31C8FAB,SHA256=C07BFC2DBFA945A351016A605203D69C6CE793653818B1D179647C124DF71E61,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000281733Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:09:10.566{F81F30E6-D97C-62DF-0D00-000000006F02}9123628C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000054498Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:09:11.687{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14BAAD47307495A170337410293E5A2B,SHA256=806550D8D32FB7F35AF4DB184C03460F19469EB4957489E11DC08DBCD5C66229,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054526Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:09:12.781{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73FCB844AC9880E90FE8B0CD81815110,SHA256=5D29BDE797D6E72A48D8F6FF42AB7791AF94B1FE944CFDA2946D340358B2CE3E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000054525Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:09:12.734{53069400-D97E-62DF-2900-000000007002}27802800C:\Windows\system32\conhost.exe{53069400-F588-62DF-BF03-000000007002}884C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054524Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:09:12.734{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054523Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:09:12.734{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054522Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:09:12.734{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054521Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:09:12.734{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054520Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:09:12.734{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054519Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:09:12.734{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054518Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:09:12.734{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054517Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:09:12.734{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054516Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:09:12.734{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054515Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:09:12.734{53069400-D97C-62DF-0500-000000007002}412540C:\Windows\system32\csrss.exe{53069400-F588-62DF-BF03-000000007002}884C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000054514Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:09:12.734{53069400-D97D-62DF-1E00-000000007002}19402768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53069400-F588-62DF-BF03-000000007002}884C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000054513Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:09:12.734{53069400-F588-62DF-BF03-000000007002}884C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53069400-D97C-62DF-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000281735Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:09:12.022{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4BD37D46B1572245ED1E3C40B4B07565,SHA256=5ED4C720691738D9233E83EA3E16443C46C158A0A3147269CE9FF690BF9CECA7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000054512Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:09:12.234{53069400-F588-62DF-BE03-000000007002}26803220C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054511Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:09:12.062{53069400-D97E-62DF-2900-000000007002}27802800C:\Windows\system32\conhost.exe{53069400-F588-62DF-BE03-000000007002}2680C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054510Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:09:12.062{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054509Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:09:12.062{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054508Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:09:12.062{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054507Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:09:12.062{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054506Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:09:12.062{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054505Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:09:12.062{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054504Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:09:12.062{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054503Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:09:12.062{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054502Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:09:12.062{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054501Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:09:12.062{53069400-D97C-62DF-0500-000000007002}4121248C:\Windows\system32\csrss.exe{53069400-F588-62DF-BE03-000000007002}2680C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000054500Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:09:12.062{53069400-D97D-62DF-1E00-000000007002}19402768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53069400-F588-62DF-BE03-000000007002}2680C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000054499Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:09:12.063{53069400-F588-62DF-BE03-000000007002}2680C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53069400-D97C-62DF-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000054553Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:09:13.906{53069400-D97E-62DF-2900-000000007002}27802800C:\Windows\system32\conhost.exe{53069400-F589-62DF-C103-000000007002}1660C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054552Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:09:13.906{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054551Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:09:13.906{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054550Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:09:13.906{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054549Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:09:13.906{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054548Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:09:13.906{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054547Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:09:13.906{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054546Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:09:13.906{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054545Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:09:13.906{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054544Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:09:13.906{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054543Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:09:13.906{53069400-D97C-62DF-0500-000000007002}412540C:\Windows\system32\csrss.exe{53069400-F589-62DF-C103-000000007002}1660C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000054542Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:09:13.906{53069400-D97D-62DF-1E00-000000007002}19402768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53069400-F589-62DF-C103-000000007002}1660C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000054541Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:09:13.906{53069400-F589-62DF-C103-000000007002}1660C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53069400-D97C-62DF-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000054540Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:09:13.234{53069400-D97E-62DF-2900-000000007002}27802800C:\Windows\system32\conhost.exe{53069400-F589-62DF-C003-000000007002}748C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054539Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:09:13.234{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054538Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:09:13.234{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054537Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:09:13.234{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054536Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:09:13.234{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054535Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:09:13.234{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054534Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:09:13.234{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054533Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:09:13.234{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054532Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:09:13.234{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054531Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:09:13.234{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054530Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:09:13.234{53069400-D97C-62DF-0500-000000007002}412540C:\Windows\system32\csrss.exe{53069400-F589-62DF-C003-000000007002}748C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000054529Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:09:13.234{53069400-D97D-62DF-1E00-000000007002}19402768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53069400-F589-62DF-C003-000000007002}748C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000054528Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:09:13.235{53069400-F589-62DF-C003-000000007002}748C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53069400-D97C-62DF-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000054527Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:09:13.187{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6CC2A549FE111D4FC52414FB70137A01,SHA256=2FD2DA83CD2D53EAA66C9A1172FC86146107BD28CAAD22620D3342C1967C3099,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000281736Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:09:13.067{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2D8CB5E1D2F87B41102EAA9689717A7,SHA256=124C69FD9A827320ACDCE456BB42175AE610A1A90C821D15308EB7417B93576B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000281738Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:09:12.058{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local65059-false10.0.1.12-8000- 23542300x8000000000000000281737Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:09:14.099{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=262D977A9F846F34DB0507F149D00389,SHA256=856E5CE250CF2FDB0FA83F3132C9E248B476C8C9C1F628F41F17B09A8D2B3C58,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000054569Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:09:14.562{53069400-F58A-62DF-C203-000000007002}656792C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054568Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:09:14.406{53069400-D97E-62DF-2900-000000007002}27802800C:\Windows\system32\conhost.exe{53069400-F58A-62DF-C203-000000007002}656C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054567Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:09:14.406{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054566Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:09:14.406{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054565Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:09:14.406{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054564Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:09:14.406{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054563Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:09:14.406{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054562Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:09:14.406{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054561Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:09:14.406{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054560Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:09:14.406{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054559Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:09:14.406{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054558Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:09:14.406{53069400-D97C-62DF-0500-000000007002}4121248C:\Windows\system32\csrss.exe{53069400-F58A-62DF-C203-000000007002}656C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000054557Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:09:14.406{53069400-D97D-62DF-1E00-000000007002}19402768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53069400-F58A-62DF-C203-000000007002}656C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000054556Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:09:14.406{53069400-F58A-62DF-C203-000000007002}656C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{53069400-D97C-62DF-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000054555Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:09:14.374{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6FABFD16BB9863EFDBBC2B6BEE942769,SHA256=5AAF1475990A2053BAA81C191B18B5B0E0322C714626192142436B938DD8AD28,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000054554Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:09:14.046{53069400-F589-62DF-C103-000000007002}16603720C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000281739Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:09:15.223{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC1BC3D7A597DD7C6C882669602A1869,SHA256=56F057288559026B5250185B19ADBFCBCEF9CD773581E4E745B8BF1834626FBF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000054597Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:09:15.702{53069400-D97E-62DF-2900-000000007002}27802800C:\Windows\system32\conhost.exe{53069400-F58B-62DF-C403-000000007002}2444C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054596Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:09:15.702{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054595Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:09:15.702{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054594Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:09:15.702{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054593Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:09:15.702{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054592Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:09:15.702{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054591Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:09:15.702{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054590Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:09:15.702{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054589Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:09:15.702{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054588Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:09:15.702{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054587Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:09:15.702{53069400-D97C-62DF-0500-000000007002}412540C:\Windows\system32\csrss.exe{53069400-F58B-62DF-C403-000000007002}2444C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000054586Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:09:15.702{53069400-D97D-62DF-1E00-000000007002}19402768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53069400-F58B-62DF-C403-000000007002}2444C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000054585Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:09:15.703{53069400-F58B-62DF-C403-000000007002}2444C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53069400-D97C-62DF-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000054584Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:09:15.203{53069400-F58B-62DF-C303-000000007002}20122636C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054583Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:09:15.031{53069400-D97E-62DF-2900-000000007002}27802800C:\Windows\system32\conhost.exe{53069400-F58B-62DF-C303-000000007002}2012C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054582Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:09:15.031{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054581Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:09:15.031{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054580Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:09:15.031{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054579Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:09:15.031{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054578Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:09:15.031{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054577Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:09:15.031{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054576Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:09:15.031{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054575Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:09:15.031{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054574Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:09:15.031{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054573Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:09:15.031{53069400-D97C-62DF-0500-000000007002}412540C:\Windows\system32\csrss.exe{53069400-F58B-62DF-C303-000000007002}2012C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000054572Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:09:15.031{53069400-D97D-62DF-1E00-000000007002}19402768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53069400-F58B-62DF-C303-000000007002}2012C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000054571Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:09:15.033{53069400-F58B-62DF-C303-000000007002}2012C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53069400-D97C-62DF-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000054570Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:09:15.031{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78F33B66800B3C1A8DD57D83CB106250,SHA256=355E2672C538F890B9FB780F61B3185D05A897A0246A3DD72F744CBD8A97D53A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000281740Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:09:16.254{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8DEEDA93D29754271E61FCDA04FD070E,SHA256=A50C7E86CB55F4801578F85A843CD1B26E27F8F609CBE7B1DA36B7AEFBB046E4,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000054600Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:09:15.071{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal51114-false10.0.1.12-8000- 23542300x800000000000000054599Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:09:16.921{53069400-D97D-62DF-1E00-000000007002}1940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=0CFCFE63AD0A40244AFA389F7F877EE2,SHA256=58E5EA26B5FAB7388DEB077C1F29E92D27BA906F248FAE3357E944B3D5B797F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054598Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:09:16.171{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82F04FA0591F580EA4DFA406FCC2C39A,SHA256=BDDD5C3DCC5530855187F8F3E69B69B6671F71CF481E20B1DE02CAED6C808E5B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000281741Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:09:17.401{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=997AAF9163B3FA8A4555EB336C072908,SHA256=C7B2D9561E568B0FC2FF77A1486B303FAD78FC39427392851AD0B446C1BDD0FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054601Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:09:17.281{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F15F1A1CD267D483A99C731681A45BD6,SHA256=396DEF8B768103AB800115CD5C35BF2E77D8E5427300A82DB832C834CF617DBA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000281742Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:09:18.436{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2255D2BF5119BC7CD0D8CDCDBE7529F7,SHA256=BDE5DCF49DA3EF328C71DF77248CE287FE1AAB1F403A02001B8B2D813E76BBEF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054602Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:09:18.374{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC96CA386DBA2A870A2BB0F1289DBFCF,SHA256=14091ECAB55C45E1D67948BCABBFCE6B963D5BCAB7055A2E182F356188C4FFAA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000281744Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:09:17.072{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local65060-false10.0.1.12-8000- 23542300x8000000000000000281743Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:09:19.482{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8B51745D6EB6E38462DB69A461DD63A,SHA256=1A2F87B6C840BF46C17223093047D1D67709AC94F91A308EF271C131915C4046,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054603Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:09:19.468{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=975BD89E9315ECC8AE8E14189E9C3741,SHA256=FB7B766811C5DDD996063A4805BD86463D348F72F4E57AF9B82D5FC41C71C4FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000281745Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:09:20.519{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF3EF9B70A12BBA089AB22B0CF90B519,SHA256=D7A05E6F75B8DC8E25AFB543EF847B16CF10EFEB742E602E71DBC27CD5A0C7EF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054604Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:09:20.562{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=498F743ECB69B7E344D15F9E7570F626,SHA256=9F721438560AE29DABE4FBB56B236C6900FEC1F3C0696B1E6B99F6AE9B829D9D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000281746Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:09:21.650{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60C82D96518D9C835C19717294A3ED32,SHA256=FFB08F966E857783BCAD8CFE52BA0389DA54EBC72FD562DDA258C9AC0D3FAE1D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054605Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:09:21.656{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76581D60CCC604744FA43CAA67E40088,SHA256=148F8569195819D9CF4109152A796CB076289C5AC22AF5CE4A81A6BAEF35E5FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054607Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:09:22.749{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC495EC4E7DB3EB98C19FC342372D62D,SHA256=91F4967F0E0B5C326148F24DD86E027D94FE1563AA561BA22BD081430D13F15A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000281749Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:09:22.697{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72E2FB9E8B7F6D830E7ACAD941FF830D,SHA256=1869B27F5D02832DF7108F9330569F09621752758C93092DA889A5EA263BED33,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000281748Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:09:22.217{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281747Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:09:22.217{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000054606Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:09:20.336{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal51115-false10.0.1.12-8000- 23542300x800000000000000054608Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:09:23.843{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EDC3537502ADC2C5C93100A40E3F2E15,SHA256=8C6C4FECE8B529AB4A6E79B8AC9B8D2930AAEE2C6AECB7111F94F5B27B97CA5A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000281750Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:09:23.779{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2447A98301F02C41F8D00A2C2CD4BCAB,SHA256=FD99CEE4E48535A3917350733885B95DA31E3495B3478E414D0AED18244AB14F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054609Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:09:24.937{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C738420815F1AA11D31C618CC683298C,SHA256=96426AE870C53067C7D069FA8E84441E1124C08CAAD2FA99012CD8FA7AE802FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000281751Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:09:24.797{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98695E11A4418DA43B70A168D8A9E530,SHA256=F326A75EB833D7EBC711A5F15D076141975425241E2CC7E42FD2FC76D372FDF5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000281753Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:09:25.834{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D6071D85E32039061268CBC4640E445,SHA256=755F102F32475B04DEAF2BABA5C7A9258D1843E9114D288F1956FAEFF0ED6714,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000281752Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:09:23.099{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local65061-false10.0.1.12-8000- 23542300x8000000000000000281754Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:09:26.880{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95117F4DC5229152F14A04415A5EF585,SHA256=0B26BDFA649BA47F60293EA2858BFB254BF38D7CEC02BABCD085FB3E20A8FF2B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054610Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:09:26.031{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0C2A5DAC814D2D0C32E070A7CE06ADF,SHA256=1AD77B5060DD32F9D2A13C69C31863EBE3B48A5FB2EFC1FEA66E4CDD7A1F92C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000281755Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:09:27.916{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C355C7548686FFCC69B4BF2DFDCA269F,SHA256=24E1C84264EAB6422FA74B4943A01FA0512E0A094425C376F8FFA42E2E95FB91,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054611Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:09:27.124{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C790406E02DACF6D44A8FA361D47A99,SHA256=221A73621701C87AACBEECBB70A1B22F85F908466E5ABA17D832F1944478C2EF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000281756Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:09:28.947{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=295890A18C2BE702C61AB07D1DE4D202,SHA256=90071E44C312A326A8A87912E61F93FCCB9F85EEE8C3516FF79D322E4857075F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000054613Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:09:26.243{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal51116-false10.0.1.12-8000- 23542300x800000000000000054612Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:09:28.218{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F20F398974888B1E9C73136843DA6740,SHA256=3B59849DE3F01679873F86777C46C62804A2AE45FC5BADD2EA034393AA59A7A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000281757Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:09:29.994{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5587F38A6C4B5F50BAAA68F63E7C52D,SHA256=4B2DF2F68673668FE5682A9CF6F32431996915B4407DA38ACDFCC6B3F8476278,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054614Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:09:29.312{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04FD11CC2CC4B159B524F0F1F1B28DD5,SHA256=38A04665A651631586A90C0E89BBAAB8DF6D950798231801C6A69CF220968419,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054615Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:09:30.406{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC9A00CDA503FB6727AC13CE82691A84,SHA256=ED62A03886703A4F31460E3FD821F42B0E55D01810C6E1D13B6267C21DE66C86,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000281761Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:09:28.136{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local65062-false10.0.1.12-8000- 10341000x8000000000000000281760Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:09:30.976{F81F30E6-D97C-62DF-0D00-000000006F02}9123628C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281759Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:09:30.696{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281758Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:09:30.696{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000054616Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:09:31.499{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E078803605A2B38AE8F21C33049F4AC5,SHA256=7960831F7B56FC5A03EB572248A43E5300566A8E4B6D3A80D96BBC24754BA7E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000281763Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:09:31.575{F81F30E6-D98A-62DF-2E00-000000006F02}2780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=8A253EDFE6086BF5A4E57DA29F761C2A,SHA256=8E1C39D3269E4196844B5E9EAE0270AB45E3EFE272F2C1EBACBC9D1F45F01CAC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000281762Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:09:31.045{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC94314EBD1FD8A27720773D983537A7,SHA256=5BB74E9248658B75697665CA87CD30529C3383613A724D1F38CCFA26C2316926,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054617Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:09:32.593{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9A64AC48B0832FB1517BC357DF184CD,SHA256=FEF7AD9DA445A6326C622E825C9AE8E56491B763F53C216B5D219471368E66EC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000281781Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:09:32.811{F81F30E6-D98B-62DF-3600-000000006F02}31323152C:\Windows\system32\conhost.exe{F81F30E6-F59C-62DF-7B05-000000006F02}9768C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281780Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:09:32.811{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281779Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:09:32.811{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281778Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:09:32.811{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281777Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:09:32.811{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281776Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:09:32.811{F81F30E6-D97A-62DF-0500-000000006F02}41292C:\Windows\system32\csrss.exe{F81F30E6-F59C-62DF-7B05-000000006F02}9768C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000281775Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:09:32.811{F81F30E6-D98A-62DF-2E00-000000006F02}27803956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F81F30E6-F59C-62DF-7B05-000000006F02}9768C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000281774Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:09:32.812{F81F30E6-F59C-62DF-7B05-000000006F02}9768C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F81F30E6-D97A-62DF-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000281773Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:09:32.327{F81F30E6-F59C-62DF-7A05-000000006F02}96209608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281772Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:09:32.128{F81F30E6-D98B-62DF-3600-000000006F02}31323152C:\Windows\system32\conhost.exe{F81F30E6-F59C-62DF-7A05-000000006F02}9620C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281771Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:09:32.128{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281770Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:09:32.128{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281769Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:09:32.128{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281768Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:09:32.128{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281767Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:09:32.128{F81F30E6-D97A-62DF-0500-000000006F02}41292C:\Windows\system32\csrss.exe{F81F30E6-F59C-62DF-7A05-000000006F02}9620C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000281766Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:09:32.128{F81F30E6-D98A-62DF-2E00-000000006F02}27803956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F81F30E6-F59C-62DF-7A05-000000006F02}9620C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000281765Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:09:32.128{F81F30E6-F59C-62DF-7A05-000000006F02}9620C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{F81F30E6-D97A-62DF-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000281764Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:09:32.092{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38AF24CC1976529B374F64F484BA6DA7,SHA256=EC68C7A4B94603DBDE9A081B24A1B047C979BD7EDCAA4104CA0698CA01BB25BB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000054634Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:09:33.750{53069400-D97C-62DF-0B00-000000007002}6483876C:\Windows\system32\lsass.exe{53069400-D97D-62DF-1600-000000007002}1232C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ee3c|C:\Windows\system32\lsasrv.dll+e76d4|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054633Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:09:33.750{53069400-D97C-62DF-0B00-000000007002}6483876C:\Windows\system32\lsass.exe{53069400-D97D-62DF-1600-000000007002}1232C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ee3c|C:\Windows\system32\lsasrv.dll+e76d4|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x800000000000000054632Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-SetValue2022-07-26 14:09:33.750{53069400-D97D-62DF-1100-000000007002}980C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{33f7ec56-8a75-4033-b090-7a888f798e1e}\DhcpConnForceBroadcastFlagDWORD (0x00000000) 13241300x800000000000000054631Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-SetValue2022-07-26 14:09:33.750{53069400-D97D-62DF-1100-000000007002}980C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{33f7ec56-8a75-4033-b090-7a888f798e1e}\IsServerNapAwareDWORD (0x00000000) 13241300x800000000000000054630Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-SetValue2022-07-26 14:09:33.750{53069400-D97D-62DF-1100-000000007002}980C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{33f7ec56-8a75-4033-b090-7a888f798e1e}\AddressTypeDWORD (0x00000000) 13241300x800000000000000054629Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-SetValue2022-07-26 14:09:33.750{53069400-D97D-62DF-1100-000000007002}980C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{33f7ec56-8a75-4033-b090-7a888f798e1e}\LeaseTerminatesTimeDWORD (0x62e003ad) 13241300x800000000000000054628Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-SetValue2022-07-26 14:09:33.750{53069400-D97D-62DF-1100-000000007002}980C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{33f7ec56-8a75-4033-b090-7a888f798e1e}\T2DWORD (0x62e001eb) 13241300x800000000000000054627Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-SetValue2022-07-26 14:09:33.750{53069400-D97D-62DF-1100-000000007002}980C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{33f7ec56-8a75-4033-b090-7a888f798e1e}\T1DWORD (0x62dffca5) 13241300x800000000000000054626Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-SetValue2022-07-26 14:09:33.750{53069400-D97D-62DF-1100-000000007002}980C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{33f7ec56-8a75-4033-b090-7a888f798e1e}\LeaseObtainedTimeDWORD (0x62dff59d) 13241300x800000000000000054625Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-SetValue2022-07-26 14:09:33.750{53069400-D97D-62DF-1100-000000007002}980C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{33f7ec56-8a75-4033-b090-7a888f798e1e}\LeaseDWORD (0x00000e10) 13241300x800000000000000054624Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-SetValue2022-07-26 14:09:33.750{53069400-D97D-62DF-1100-000000007002}980C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{33f7ec56-8a75-4033-b090-7a888f798e1e}\DhcpServer10.0.1.1 13241300x800000000000000054623Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-SetValue2022-07-26 14:09:33.750{53069400-D97D-62DF-1100-000000007002}980C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{33f7ec56-8a75-4033-b090-7a888f798e1e}\DhcpSubnetMask255.255.255.0 13241300x800000000000000054622Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-SetValue2022-07-26 14:09:33.750{53069400-D97D-62DF-1100-000000007002}980C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{33f7ec56-8a75-4033-b090-7a888f798e1e}\DhcpIPAddress10.0.1.15 13241300x800000000000000054621Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-SetValue2022-07-26 14:09:33.750{53069400-D97D-62DF-1100-000000007002}980C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{33f7ec56-8a75-4033-b090-7a888f798e1e}\DhcpInterfaceOptionsBinary Data 23542300x800000000000000054620Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:09:33.688{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8920F4F4D93D582955CC9E1B1A295DBF,SHA256=E834CC8513F80A6D04304BD06DA1677202529DC65C4E9D7893BFC76971A1AAED,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000281814Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:09:33.997{F81F30E6-D97C-62DF-1500-000000006F02}12288132C:\Windows\System32\svchost.exe{F81F30E6-D98A-62DF-2A00-000000006F02}2640C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2a2f2|C:\Windows\system32\wbem\wmiprvsd.dll+29e26|C:\Windows\system32\wbem\wmiprvsd.dll+28432|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bca3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22acf|C:\Windows\system32\wbem\wbemcore.dll+22a09|C:\Windows\system32\wbem\wbemcore.dll+21f4a|C:\Windows\system32\wbem\wbemcore.dll+2c9ae|C:\Windows\system32\wbem\wbemcore.dll+202cc|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22baa|C:\Windows\system32\wbem\wbemcore.dll+22a09|C:\Windows\system32\wbem\wbemcore.dll+21f4a|C:\Windows\system32\wbem\wbemcore.dll+22701|C:\Windows\system32\wbem\wbemcore.dll+2d77c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281813Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:09:33.996{F81F30E6-D97C-62DF-1500-000000006F02}12288132C:\Windows\System32\svchost.exe{F81F30E6-D98A-62DF-2A00-000000006F02}2640C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2597b|C:\Windows\system32\wbem\wmiprvsd.dll+283dc|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bca3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22acf|C:\Windows\system32\wbem\wbemcore.dll+22a09|C:\Windows\system32\wbem\wbemcore.dll+21f4a|C:\Windows\system32\wbem\wbemcore.dll+2c9ae|C:\Windows\system32\wbem\wbemcore.dll+202cc|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22baa|C:\Windows\system32\wbem\wbemcore.dll+22a09|C:\Windows\system32\wbem\wbemcore.dll+21f4a|C:\Windows\system32\wbem\wbemcore.dll+22701|C:\Windows\system32\wbem\wbemcore.dll+2d77c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281812Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:09:33.996{F81F30E6-D98B-62DF-3600-000000006F02}31323152C:\Windows\system32\conhost.exe{F81F30E6-F59D-62DF-7D05-000000006F02}5392C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281811Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:09:33.994{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281810Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:09:33.994{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281809Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:09:33.993{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281808Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:09:33.993{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281807Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:09:33.993{F81F30E6-D97A-62DF-0500-000000006F02}412428C:\Windows\system32\csrss.exe{F81F30E6-F59D-62DF-7D05-000000006F02}5392C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000281806Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:09:33.993{F81F30E6-D98A-62DF-2E00-000000006F02}27803956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F81F30E6-F59D-62DF-7D05-000000006F02}5392C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000281805Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:09:33.992{F81F30E6-F59D-62DF-7D05-000000006F02}5392C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F81F30E6-D97A-62DF-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 13241300x8000000000000000281804Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-SetValue2022-07-26 14:09:33.413{F81F30E6-D97C-62DF-1000-000000006F02}448C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{0940a558-522a-4c31-9459-d9009caf8969}\DhcpConnForceBroadcastFlagDWORD (0x00000000) 13241300x8000000000000000281803Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-SetValue2022-07-26 14:09:33.413{F81F30E6-D97C-62DF-1000-000000006F02}448C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{0940a558-522a-4c31-9459-d9009caf8969}\IsServerNapAwareDWORD (0x00000000) 13241300x8000000000000000281802Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-SetValue2022-07-26 14:09:33.413{F81F30E6-D97C-62DF-1000-000000006F02}448C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{0940a558-522a-4c31-9459-d9009caf8969}\AddressTypeDWORD (0x00000000) 13241300x8000000000000000281801Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-SetValue2022-07-26 14:09:33.413{F81F30E6-D97C-62DF-1000-000000006F02}448C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{0940a558-522a-4c31-9459-d9009caf8969}\LeaseTerminatesTimeDWORD (0x62e003ad) 13241300x8000000000000000281800Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-SetValue2022-07-26 14:09:33.413{F81F30E6-D97C-62DF-1000-000000006F02}448C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{0940a558-522a-4c31-9459-d9009caf8969}\T2DWORD (0x62e001eb) 13241300x8000000000000000281799Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-SetValue2022-07-26 14:09:33.413{F81F30E6-D97C-62DF-1000-000000006F02}448C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{0940a558-522a-4c31-9459-d9009caf8969}\T1DWORD (0x62dffca5) 13241300x8000000000000000281798Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-SetValue2022-07-26 14:09:33.413{F81F30E6-D97C-62DF-1000-000000006F02}448C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{0940a558-522a-4c31-9459-d9009caf8969}\LeaseObtainedTimeDWORD (0x62dff59d) 13241300x8000000000000000281797Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-SetValue2022-07-26 14:09:33.413{F81F30E6-D97C-62DF-1000-000000006F02}448C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{0940a558-522a-4c31-9459-d9009caf8969}\LeaseDWORD (0x00000e10) 13241300x8000000000000000281796Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-SetValue2022-07-26 14:09:33.413{F81F30E6-D97C-62DF-1000-000000006F02}448C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{0940a558-522a-4c31-9459-d9009caf8969}\DhcpServer10.0.1.1 13241300x8000000000000000281795Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-SetValue2022-07-26 14:09:33.413{F81F30E6-D97C-62DF-1000-000000006F02}448C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{0940a558-522a-4c31-9459-d9009caf8969}\DhcpSubnetMask255.255.255.0 13241300x8000000000000000281794Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-SetValue2022-07-26 14:09:33.413{F81F30E6-D97C-62DF-1000-000000006F02}448C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{0940a558-522a-4c31-9459-d9009caf8969}\DhcpIPAddress10.0.1.14 13241300x8000000000000000281793Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-SetValue2022-07-26 14:09:33.413{F81F30E6-D97C-62DF-1000-000000006F02}448C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{0940a558-522a-4c31-9459-d9009caf8969}\DhcpInterfaceOptionsBinary Data 10341000x8000000000000000281792Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:09:33.329{F81F30E6-D98B-62DF-3600-000000006F02}31323152C:\Windows\system32\conhost.exe{F81F30E6-F59D-62DF-7C05-000000006F02}8044C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281791Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:09:33.329{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281790Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:09:33.329{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281789Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:09:33.329{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281788Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:09:33.329{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281787Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:09:33.329{F81F30E6-D97A-62DF-0500-000000006F02}41292C:\Windows\system32\csrss.exe{F81F30E6-F59D-62DF-7C05-000000006F02}8044C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000281786Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:09:33.329{F81F30E6-D98A-62DF-2E00-000000006F02}27803956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F81F30E6-F59D-62DF-7C05-000000006F02}8044C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000281785Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:09:33.331{F81F30E6-F59D-62DF-7C05-000000006F02}8044C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F81F30E6-D97A-62DF-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000281784Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:09:33.260{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5F543538F27D28D980FAD691F63DB036,SHA256=A5E5295311CB4BF5D9FDCA06612276B75E2D7AE398B4EDBDD1D050B8E8FC9101,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000281783Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:09:33.229{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8724BECA89DF0D9C7B0452709D0CD39B,SHA256=63EC337991E5A7A975986512F5D501A706B633577CCEFF124D47A4A30AB46A38,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054619Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:09:33.331{53069400-D97D-62DF-1C00-000000007002}1896NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0923b0b66bc46ec04\channels\health\respondent-20220726120936-116MD5=F10909D358012860607A88999540BE61,SHA256=618099B8C52552D13629F748BAC7127C20F9D45615160D64360388A771E36D7B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000054618Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:09:32.211{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal51117-false10.0.1.12-8000- 10341000x8000000000000000281782Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:09:33.014{F81F30E6-F59C-62DF-7B05-000000006F02}97685860C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000054637Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:09:34.780{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22526BBAF268A6B7FF52998890155A69,SHA256=8D545062CB41DD0F48927EAFAA659FBF9DB16A3F1418B762414AA9B6C8B87DE2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000281838Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:09:32.434{F81F30E6-D97C-62DF-1000-000000006F02}448C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local68bootpcfalse10.0.1.1ip-10-0-1-1.us-east-2.compute.internal67bootps 23542300x8000000000000000281837Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:09:34.860{F81F30E6-D97C-62DF-1000-000000006F02}448NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=2E1903AA73E2191BDD92588BFF2672B7,SHA256=4F2394915E5560F1D220A3E2BB6E77DBD916CE09D93372ADA9D5959E3ADF81F7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000281836Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:09:34.844{F81F30E6-F59E-62DF-7E05-000000006F02}95169560C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281835Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:09:34.659{F81F30E6-D98B-62DF-3600-000000006F02}31323152C:\Windows\system32\conhost.exe{F81F30E6-F59E-62DF-7E05-000000006F02}9516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281834Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:09:34.659{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281833Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:09:34.659{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281832Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:09:34.659{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281831Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:09:34.659{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281830Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:09:34.659{F81F30E6-D97A-62DF-0500-000000006F02}41292C:\Windows\system32\csrss.exe{F81F30E6-F59E-62DF-7E05-000000006F02}9516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000281829Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:09:34.659{F81F30E6-D98A-62DF-2E00-000000006F02}27803956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F81F30E6-F59E-62DF-7E05-000000006F02}9516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000281828Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:09:34.660{F81F30E6-F59E-62DF-7E05-000000006F02}9516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F81F30E6-D97A-62DF-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 13241300x8000000000000000281827Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-SetValue2022-07-26 14:09:34.560{F81F30E6-D97A-62DF-0B00-000000006F02}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000281826Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-SetValue2022-07-26 14:09:34.560{F81F30E6-D97A-62DF-0B00-000000006F02}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x006df598) 13241300x8000000000000000281825Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-SetValue2022-07-26 14:09:34.560{F81F30E6-D97A-62DF-0B00-000000006F02}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d8a0f0-0xf3652e35) 13241300x8000000000000000281824Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-SetValue2022-07-26 14:09:34.560{F81F30E6-D97A-62DF-0B00-000000006F02}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d8a0f9-0x55299635) 13241300x8000000000000000281823Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-SetValue2022-07-26 14:09:34.560{F81F30E6-D97A-62DF-0B00-000000006F02}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d8a101-0xb6edfe35) 13241300x8000000000000000281822Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-SetValue2022-07-26 14:09:34.560{F81F30E6-D97A-62DF-0B00-000000006F02}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000281821Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-SetValue2022-07-26 14:09:34.560{F81F30E6-D97A-62DF-0B00-000000006F02}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x006df598) 13241300x8000000000000000281820Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-SetValue2022-07-26 14:09:34.560{F81F30E6-D97A-62DF-0B00-000000006F02}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d8a0f0-0xf3652e35) 13241300x8000000000000000281819Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-SetValue2022-07-26 14:09:34.560{F81F30E6-D97A-62DF-0B00-000000006F02}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d8a0f9-0x55299635) 13241300x8000000000000000281818Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-SetValue2022-07-26 14:09:34.560{F81F30E6-D97A-62DF-0B00-000000006F02}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d8a101-0xb6edfe35) 23542300x8000000000000000281817Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:09:34.444{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FFBF2A99F316A04C516A8AE09A653496,SHA256=3C09244F2A688B5C65430C9CAD491BB7C9DDA28AC9D0D14F2A030649C7C2EBB2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000281816Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:09:34.428{F81F30E6-D97A-62DF-0B00-000000006F02}640844C:\Windows\system32\lsass.exe{F81F30E6-D97C-62DF-1600-000000006F02}1312C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ee3c|C:\Windows\system32\lsasrv.dll+e76d4|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281815Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:09:34.428{F81F30E6-D97A-62DF-0B00-000000006F02}640844C:\Windows\system32\lsass.exe{F81F30E6-D97C-62DF-1600-000000006F02}1312C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ee3c|C:\Windows\system32\lsasrv.dll+e76d4|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000054636Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:09:34.345{53069400-D97D-62DF-1C00-000000007002}1896NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0923b0b66bc46ec04\channels\health\surveyor-20220726120934-117MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054635Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:09:34.109{53069400-D97D-62DF-1100-000000007002}980NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=BBAC642CFD46165C57FC83AC84D72F24,SHA256=EB5790B4B0BE028B2FA928E1C51EBB73AA1826FDB8563C5548397B4F6D7CFBA3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054639Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:09:35.875{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20EC7452895B9DC99E691D1DA7B5FF45,SHA256=FBC649F8BA1E2391C4CFC4B84BFD4AFAF689E28486B9349EFBD160F6FEE7E899,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000281859Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:09:33.435{F81F30E6-D98A-62DF-2D00-000000006F02}2676C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local56693- 354300x8000000000000000281858Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:09:33.435{F81F30E6-D97C-62DF-1500-000000006F02}1228C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMudptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local56693-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local53domain 354300x8000000000000000281857Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:09:33.149{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local65063-false10.0.1.12-8000- 10341000x8000000000000000281856Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:09:35.777{F81F30E6-D98B-62DF-3600-000000006F02}31323152C:\Windows\system32\conhost.exe{F81F30E6-F59F-62DF-8005-000000006F02}10296C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281855Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:09:35.777{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281854Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:09:35.777{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281853Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:09:35.777{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281852Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:09:35.777{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281851Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:09:35.777{F81F30E6-D97A-62DF-0500-000000006F02}412428C:\Windows\system32\csrss.exe{F81F30E6-F59F-62DF-8005-000000006F02}10296C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000281850Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:09:35.777{F81F30E6-D98A-62DF-2E00-000000006F02}27803956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F81F30E6-F59F-62DF-8005-000000006F02}10296C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000281849Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:09:35.778{F81F30E6-F59F-62DF-8005-000000006F02}10296C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F81F30E6-D97A-62DF-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000281848Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:09:35.677{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=057699DAD5B06EC1A43CB47DE9A2F4B2,SHA256=847055850DF8C954442B79B25275F07FE7ED1E5FA291665CA31C8051D1C1C925,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000054638Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:09:33.821{53069400-D97D-62DF-1100-000000007002}980C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal68bootpcfalse10.0.1.1ip-10-0-1-1.us-east-2.compute.internal67bootps 10341000x8000000000000000281847Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:09:35.399{F81F30E6-F59F-62DF-7F05-000000006F02}102528484C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281846Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:09:35.196{F81F30E6-D98B-62DF-3600-000000006F02}31323152C:\Windows\system32\conhost.exe{F81F30E6-F59F-62DF-7F05-000000006F02}10252C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281845Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:09:35.194{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281844Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:09:35.194{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281843Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:09:35.194{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281842Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:09:35.194{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281841Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:09:35.193{F81F30E6-D97A-62DF-0500-000000006F02}412540C:\Windows\system32\csrss.exe{F81F30E6-F59F-62DF-7F05-000000006F02}10252C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000281840Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:09:35.193{F81F30E6-D98A-62DF-2E00-000000006F02}27803956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F81F30E6-F59F-62DF-7F05-000000006F02}10252C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000281839Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:09:35.192{F81F30E6-F59F-62DF-7F05-000000006F02}10252C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F81F30E6-D97A-62DF-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000054643Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:09:36.970{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4440638E8C24481D763528AD67B607FC,SHA256=F88DFE358A055193F6A6E3A4BB272BF89EB3C0C0EBB7A6BA01ACB1977CF86600,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000281861Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:09:33.557{F81F30E6-D98A-62DF-2D00-000000006F02}2676C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local53domainfalse10.0.1.15WIN-HOST-CTUS-A60378- 23542300x8000000000000000281860Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:09:36.745{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=488F614294F8BA277F4CEF4A0307AEB8,SHA256=83E919D474ECEAB9060EFE796CD326F72E5E9D14A86A0B2ED07E9F24016232C6,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000054642Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:09:34.507{53069400-D97D-62DF-1600-000000007002}1232C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruea00:10f:0:0:c840:3ed6:8289:ffff-60378-truea00:10e:0:0:0:0:0:0-53domain 354300x800000000000000054641Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:09:33.834{53069400-D97D-62DF-1600-000000007002}1232C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruea00:10f:0:0:c840:3ed6:8289:ffff-57533-truee000:fc:0:0:0:0:0:0-5355llmnr 354300x800000000000000054640Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:09:33.834{53069400-D97D-62DF-1600-000000007002}1232C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruefe80:0:0:0:61a7:22c3:cb75:157fwin-host-ctus-attack-range-459.us-east-2.compute.internal57533-trueff02:0:0:0:0:0:1:3-5355llmnr 23542300x8000000000000000281863Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:09:37.775{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7576FDE39EB510D913CA5712E43A7941,SHA256=5DB2BC939A9F703724BC55420AFEC2596911472F63FA7212B77C3AFF0289EBD5,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000054644Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:09:34.507{53069400-D97D-62DF-1600-000000007002}1232C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudpfalsefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal60378-false10.0.1.14-53domain 23542300x8000000000000000281862Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:09:37.712{F81F30E6-DAB4-62DF-BF00-000000006F02}2464ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\e57grxtg.default-release\datareporting\glean\db\data.safe.binMD5=D6F21453197A6442563DB538499075DA,SHA256=D4F5F23266DBF59B763F6139DA55605C7C5485433C74061E16B4288439E70D27,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000281865Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:09:38.827{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7607235EEDFC7FC8B005C797BEA0536,SHA256=7DA221F3AC08DBA1CBE64582044601C5B338A24C2898D27DC5011A0841545974,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000281864Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:09:38.827{F81F30E6-D97C-62DF-0D00-000000006F02}9123628C:\Windows\system32\svchost.exe{F81F30E6-F439-62DF-4A05-000000006F02}8176C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000054646Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:09:37.213{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal51118-false10.0.1.12-8000- 23542300x800000000000000054645Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:09:38.064{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD7CCFD0585736A36DD51CB44FBE6399,SHA256=EBDFE74963B9DD3EFE5336D16CA872334D0F4D8C76FAE2176C63E7FC076038ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000281866Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:09:39.857{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D1E31482724D9DE66CC1DE684260252,SHA256=DB129779984DA72A807B623B53D2E741297BCD34B4126EA74C04E2DD620FD6B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054647Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:09:39.157{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D9DBC7DA7EF67863EF9ED172BF696D8,SHA256=2DA76E70A860BE3D372B67D464D61BA9A2993E6CC4AB86F7370FC7592A7F55D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000281867Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:09:40.909{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B592B35A1DDDD38D0DEEA6D232A04EF,SHA256=02AA0E1D6C6576F07940457BE3641F5EC1628E76EF7B0AF27C9C3857145CEF1C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054648Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:09:40.251{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07B1CF01755D8D28B251060827247A40,SHA256=90ED436914271AFA1DD1D075FBBADF0E5160B1380F15291C5A5B181D94FB7445,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000281869Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:09:41.955{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C944C0E8A06C00D267A8B66B882D38C,SHA256=69D5879AC476D1AE0C466014F5DB71F7806C660A92E39F2A18DE2B87933E7819,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054649Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:09:41.345{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3CB14131EDEB3B22EE799D7B9167D51,SHA256=F4BBCADDB1B81B861DA70A61F2B8444A8314D1E7318DD1D2FED60539FF56A48B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000281868Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:09:38.195{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local65064-false10.0.1.12-8000- 23542300x800000000000000054650Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:09:42.439{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C681B69AA22947D2AFC5CF33B02D009,SHA256=39C3DE80FAE80A6393764185D99D55CC7E9C0C495BFF63F3CE8C124F5CF73E45,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000281870Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:09:42.055{F81F30E6-D97A-62DF-0B00-000000006F02}640844C:\Windows\system32\lsass.exe{F81F30E6-D978-62DF-0100-000000006F02}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+97d32|C:\Windows\system32\kerberos.DLL+7a118|C:\Windows\system32\kerberos.DLL+1454f|C:\Windows\system32\lsasrv.dll+2f5b1|C:\Windows\system32\lsasrv.dll+2d496|C:\Windows\system32\lsasrv.dll+32d29|C:\Windows\system32\lsasrv.dll+30677|C:\Windows\system32\lsasrv.dll+2f5b1|C:\Windows\system32\lsasrv.dll+176fd|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e 354300x800000000000000054652Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:09:42.306{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal51119-false10.0.1.12-8000- 23542300x800000000000000054651Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:09:43.532{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=578E54EF3F009510D7AABE5FD0CC21C9,SHA256=FFB2C91CF89325FD9C290B822F3AB45D5EFAFF24EAE9E3FD0260CD9C3CC21BE7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000281875Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:09:40.250{F81F30E6-D98A-62DF-2D00-000000006F02}2676C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local58145- 354300x8000000000000000281874Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:09:40.248{F81F30E6-D98A-62DF-2D00-000000006F02}2676C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local58077- 354300x8000000000000000281873Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:09:40.248{F81F30E6-D97C-62DF-1000-000000006F02}448C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local58077-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local53domain 23542300x8000000000000000281872Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:09:43.107{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D5B8C094169CA7DD889A087C708965F2,SHA256=0CD0F57895F58E31E58B1A3315869865A6C3698D49CF53EC8808F62F8176DD31,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000281871Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:09:43.007{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC16B920C8927C5B7084FBAD0C0F05ED,SHA256=8927B254AFBD70B0DFED7FF54C52125AA02B6EAD00AF53B86A48FBB509546011,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054653Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:09:44.626{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=695FF2E4DCD789CA0C665809D0602098,SHA256=8E90CBE84B82F89DB4403AD82EC100E278B7E708532A6F544B967405F56776D8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000281880Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:09:44.368{F81F30E6-D97C-62DF-0D00-000000006F02}9123628C:\Windows\system32\svchost.exe{F81F30E6-F43F-62DF-4D05-000000006F02}6248C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000281879Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:09:41.077{F81F30E6-D978-62DF-0100-000000006F02}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local65065-false10.0.1.14win-dc-ctus-attack-range-502.attackrange.local445microsoft-ds 354300x8000000000000000281878Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:09:41.076{F81F30E6-D978-62DF-0100-000000006F02}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local65065-false10.0.1.14win-dc-ctus-attack-range-502.attackrange.local445microsoft-ds 354300x8000000000000000281877Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:09:40.251{F81F30E6-D97C-62DF-1000-000000006F02}448C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruetruefe80:0:0:0:513a:aaff:ea8e:f17win-dc-ctus-attack-range-502.attackrange.local61527-trueff02:0:0:0:0:0:1:3-5355llmnr 23542300x8000000000000000281876Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:09:44.053{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ABE8E6F64094F99591ED4F64838D4FDD,SHA256=F30427CECAF17C486D51C45186C95ED50C5FF03A9BD6F7C32340D75042174F79,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054654Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:09:45.720{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A36F69B683730849857B0BD559A4AAF8,SHA256=64911A25DC20FF6073F6A255728F8B6779A5402CBAB6731BBB60F1A54E65158E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000281881Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:09:45.104{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4EF7EE358AA32ED21B52EE603F8A9FDE,SHA256=28AB6942A96F3BF063402D3D9C39B87A3CAEC6FF49744844857C17FDB8B990B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054656Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:09:46.814{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0AADDFB98A7FE4BFFC4CA3F68BAF6087,SHA256=C49C9306FA72BC496CFBE9F47261E52D1690043B0926C4B4B3B8483DB9A428CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000281882Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:09:46.150{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=455A840C8C2DA115607BA915186E82CC,SHA256=0F59324B2B36A5465F354293AC27443EB6E6514BFFE0C0D0DA219AF40D1DC108,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054655Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:09:46.189{53069400-D97D-62DF-1E00-000000007002}1940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=179B82772CA5CC0B7A1E30B10EC3DA68,SHA256=BB39CA45713EEF29F8964A50A9025571F90083A2F6169622A7CAAB4EAC5409CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054659Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:09:47.907{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=847161E634001C9064DDDFC11E98C8FF,SHA256=57046BD3DE1F81FDA9354751E2F04D40BE3EFEE11873E792081E8C43B898A89F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000281887Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:09:47.733{F81F30E6-DAB4-62DF-BF00-000000006F02}2464ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\e57grxtg.default-release\datareporting\glean\db\data.safe.binMD5=653A98146CB045C8040B3B6D827C5D00,SHA256=CFA9A343C017020EC253BBB0FA6DC4B60B61FACE574A8659DA56971838B72CA6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000281886Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:09:47.705{F81F30E6-D98A-62DF-2900-000000006F02}2592NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f0cc84e036a5373b\channels\health\respondent-20220726120948-116MD5=369DD308E953FB115558C25A87FA7436,SHA256=F8D888C61BEF90997E9DA9024DED7AC04FA2757575784335A529296D09245F18,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000281885Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:09:47.365{F81F30E6-D97C-62DF-0D00-000000006F02}9123628C:\Windows\system32\svchost.exe{F81F30E6-F442-62DF-5005-000000006F02}10584C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000281884Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:09:47.183{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A950223F0C7EF231DEAD714C7F75B788,SHA256=19C8121400F3ACD3928C888EF229C7871F2262AAA02EE427724ADD4C8CBCAA3A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000054658Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:09:46.246{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal51120-false10.0.1.12-8089- 23542300x800000000000000054657Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:09:47.392{53069400-D97D-62DF-1E00-000000007002}1940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=777AA7CE48F0010CF0C621E34402C3E8,SHA256=412F514DA30CA83C2F6F727A18CEB8B972281490CF7CC730A238E36A75617FAD,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000281883Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:09:44.188{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local65066-false10.0.1.12-8000- 23542300x8000000000000000281891Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:09:48.719{F81F30E6-D98A-62DF-2900-000000006F02}2592NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f0cc84e036a5373b\channels\health\surveyor-20220726120946-117MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000281890Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:09:48.302{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A9C408C27EA99744B38FAA1525020E6,SHA256=6E6ECF6E70383B6CA562CF402EF100C5CA42DEEC6801303BBC3B5523BE57C876,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000281889Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:09:46.015{F81F30E6-DAB4-62DF-BF00-000000006F02}2464C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local65067-false34.117.237.239239.237.117.34.bc.googleusercontent.com443https 354300x8000000000000000281888Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:09:45.994{F81F30E6-DAB4-62DF-BF00-000000006F02}2464C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratorudptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local54314-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local53domain 354300x800000000000000054661Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:09:48.291{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal51121-false10.0.1.12-8000- 23542300x800000000000000054660Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:09:49.001{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29F3C947D0C01CD0199A4EA260A8EE4C,SHA256=AB797B710966FA37F92A6813C8390B3B7F37B1C6AB58FA7749827604A79925E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000281898Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:09:49.418{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED5845302CC9A694F42799C476682AB6,SHA256=D2255EFF9A3D8CD89ACC179B1E0F628EB55FAA2AE8ADE29312EAD6D3C2CB73F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000281897Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:09:49.149{F81F30E6-D98A-62DF-2E00-000000006F02}2780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=375770933B088FA1013E9C17F7ACFA9C,SHA256=12DC730ED0C3CEF15E2072F184E79ED116E6C7FEA32581084F03B1ADA228E22B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000281896Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:09:46.157{F81F30E6-DAB4-62DF-BF00-000000006F02}2464C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local65068-false34.120.115.102102.115.120.34.bc.googleusercontent.com443https 354300x8000000000000000281895Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:09:46.145{F81F30E6-D98A-62DF-2D00-000000006F02}2676C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local59259- 354300x8000000000000000281894Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:09:46.144{F81F30E6-D98A-62DF-2D00-000000006F02}2676C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local56530- 354300x8000000000000000281893Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:09:46.144{F81F30E6-D98A-62DF-2D00-000000006F02}2676C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local64308- 354300x8000000000000000281892Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:09:46.141{F81F30E6-D98A-62DF-2D00-000000006F02}2676C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local65530- 23542300x800000000000000054662Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:09:50.095{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=684772C25511E6E1EFE60723A5A08EAC,SHA256=954CEE436A56FCFC2BB62AF35B3AC5C1908C12D8D3F5C3CCD57BCDA919606FB4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000281899Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:09:50.448{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00CFCC0892168C6BCB2E6A19101D30EE,SHA256=03CB6DA8F57A65B47F7654D43DBDF62D8B8007126952DB6195C8FAB9C49F1C5A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054663Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:09:51.189{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4C135A665E1604AA861BC145E9D9865,SHA256=B086A4B9D59A8E7D7A49B2A11B4F3EE3ED76826AC3CBEEE2A909607E38AAF902,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000281906Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:09:51.980{F81F30E6-DAB4-62DF-BF00-000000006F02}2464ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\e57grxtg.default-release\cache2\doomed\11860MD5=D3573BDA0B65A1062B9464007C7E247B,SHA256=003C2A8ED300DDC3460CF6C9BF420B771029C67DCB0E726DF09EF1AB221AEFE3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000281905Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:09:51.979{F81F30E6-DAB4-62DF-BF00-000000006F02}2464ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\e57grxtg.default-release\cache2\doomed\19289MD5=0141FE37025F37423B6CEF8EFFC2F149,SHA256=8AC8F59381EB3B3F01BBAE59E6504C8E4C050C5B339E6DF4C0AE3E1FBEE8C22F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000281904Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:09:51.482{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F218FDFDCD2F51A16634A627B3911D3B,SHA256=54FDDB8A69D72D2F0EA7108D0AB1B9EF02C7D7F324D5AB0A5C66756D02E50D3D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000281903Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:09:48.144{F81F30E6-D98A-62DF-2D00-000000006F02}2676C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local64653- 354300x8000000000000000281902Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:09:48.143{F81F30E6-D98A-62DF-2D00-000000006F02}2676C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local59071- 354300x8000000000000000281901Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:09:48.142{F81F30E6-D98A-62DF-2D00-000000006F02}2676C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local65285- 354300x8000000000000000281900Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:09:48.140{F81F30E6-D98A-62DF-2D00-000000006F02}2676C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local59667- 23542300x8000000000000000281909Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:09:52.514{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=417D4414597845FD016DBAF0C815EC21,SHA256=059AF52FDA052700115EBF7E734D1F794E6F6C7F0489C3D08790C0AA362403E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054664Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:09:52.282{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5012C65817A633D3731D2D3061635B81,SHA256=0B73776E3EB45EA68BEC29E7A4E78334D5FE51BEBAF99C625CCB3CB80FD2DEB0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000281908Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:09:49.201{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local65070-false10.0.1.12-8000- 354300x8000000000000000281907Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:09:48.154{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local65069-false10.0.1.12-8089- 23542300x8000000000000000281911Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:09:53.877{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D9B617D942C93ED67A0ED6BFCC2B3259,SHA256=75BEA51C4D4CF6339AD905E46496C479389BB4320EFA1E61878C151F23A90D9D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000281910Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:09:53.613{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3471DB500E764119D4A037DEB74E0C7,SHA256=E15FE8759ADEF234E6178B2DDF807B189A631AAEBFC651C1F0F91A669D8A4621,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054665Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:09:53.376{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03CFC0EA55AB8A522506FB6EDFED1D62,SHA256=0CBEC1B459C6308871DEAFF881C81892CF6EAD45DB281DA5BCF387848DEAC601,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000281912Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:09:54.658{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E13CBDA1DE4F4D14EAC706CF3E754458,SHA256=C1836F17FDD5FFA8DBAC7F95BBAAAB773F982AAAE530B053D6EA65FB31FE0F6C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054666Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:09:54.470{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6579C864037D591AA00DE902FD18B52,SHA256=0D45C17FCEBA9E367147C093B23F5BF09B96936719CAF796F5AEB1F307EC9C06,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000281913Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:09:55.711{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E9A302F58D30845D43C5D6FA09E4C68,SHA256=E902E737309D28895895E74AD4D37C36BC66409D96A81E8CDA4D5C104FB89004,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000054668Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:09:54.322{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal51122-false10.0.1.12-8000- 23542300x800000000000000054667Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:09:55.564{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09C8BAF5C8624E4788402F112DDC4341,SHA256=C299615C1359035E85957C30CD2C35B6181E102725FAD27AA3E1E4CE4FEAE94C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000281919Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:09:56.756{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62123A7606AF209B89A797730116617C,SHA256=B1E09943DA55E39F7D6B2D0738B49C4CA15EDF5D3EE3E090506173582C9E829E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054669Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:09:56.657{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=169066260BE5B288285700A2C9258FD0,SHA256=D11316CA7E3A1B6EC65480FAF9153D334F76277911679124FBF4D9872F08D0E6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000281918Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:09:56.457{F81F30E6-D9BD-62DF-9000-000000006F02}46884812C:\Windows\Explorer.EXE{F81F30E6-DAB4-62DF-BF00-000000006F02}2464C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+cf100|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9824|UNKNOWN(FFFFF80163E5BCD8)|UNKNOWN(FFFFF2A666167E08)|UNKNOWN(FFFFF2A666167F87)|UNKNOWN(FFFFF2A666162611)|UNKNOWN(FFFFF2A666163FDA)|UNKNOWN(FFFFF2A666162296)|UNKNOWN(FFFFF80163B71503)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+d296b|C:\Windows\System32\SHELL32.dll+11971a|C:\Windows\System32\SHCORE.dll+33fbd 10341000x8000000000000000281917Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:09:56.457{F81F30E6-D9BD-62DF-9000-000000006F02}46884812C:\Windows\Explorer.EXE{F81F30E6-DAB4-62DF-BF00-000000006F02}2464C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0f5|C:\Windows\System32\SHELL32.dll+cebe1|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9824|UNKNOWN(FFFFF80163E5BCD8)|UNKNOWN(FFFFF2A666167E08)|UNKNOWN(FFFFF2A666167F87)|UNKNOWN(FFFFF2A666162611)|UNKNOWN(FFFFF2A666163FDA)|UNKNOWN(FFFFF2A666162296)|UNKNOWN(FFFFF80163B71503)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+d296b|C:\Windows\System32\SHELL32.dll+11971a|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000281916Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:09:56.457{F81F30E6-DAB4-62DF-BF00-000000006F02}2464ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RF6e4b2b.TMPMD5=916C2D93B58C5CBAC8AC3098A059BFC5,SHA256=55953AB8F4BC753693EBC3ACF5A7C00D704055829032829763C3617710DD9C9E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000281915Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:09:54.021{F81F30E6-D98A-62DF-2D00-000000006F02}2676C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local62395- 354300x8000000000000000281914Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:09:54.021{F81F30E6-D97C-62DF-1100-000000006F02}440C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local62395-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local53domain 23542300x800000000000000054670Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:09:57.751{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6FF32ED957A3140E6BB29BE921121844,SHA256=E8FF7B00592B278F0574E71E2A0A8E6FB287ED78971CF8B92EAADA166E14C3A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000281920Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:09:57.874{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21E778A48BD1ADB6281C4A3F477133C7,SHA256=01853B2105BF70EF5410C48A02D941F7B19277A03978C565A6ECD2349B46BF3B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054671Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:09:58.845{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12BC418067029DE039B4068F519F0BA6,SHA256=25979C932E0CD6B5B72A1A30E4FA0FA5A1C6BB18AB7AEC4BECA69863D34CDB92,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000281922Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:09:58.924{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=336E69C8312191042A63DA1B8D99F29C,SHA256=41ECC32F398D25528ED2EF45B67AC91775AA10394BCBC077B747A72A6EB01476,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000281921Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:09:55.232{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local65071-false10.0.1.12-8000- 23542300x800000000000000054672Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:09:59.939{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF132F468B00FA833AE8DB897A55EAAD,SHA256=8F73CC0E2838784E61442E7C66D10E5F3ECF5419EA6438B9BC693B36D9B7B5C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000281925Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:09:59.954{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17E86A705DB89DC805B08430775D85BB,SHA256=76624F4F0B3169C269FD4C5A98C0C64AED7FFBF0A6A4F31D9D68ABFF25A6AFDA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000281924Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:09:59.124{F81F30E6-DAB4-62DF-BF00-000000006F02}2464ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\e57grxtg.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000281923Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:09:59.124{F81F30E6-DAB4-62DF-BF00-000000006F02}2464ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\e57grxtg.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shmMD5=93F0C47A777F1ED5BDC4B96975174C11,SHA256=78430546CE428F0F9365CC78E4D7048E89DF99A31DCCB27C0F5C6DCB88681A31,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000281926Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:00.990{F81F30E6-D98A-62DF-2E00-000000006F02}2780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=1C8F50E6D12C23E6760A046EEDC66645,SHA256=2E958401745302E7DBBFE142AF1E0F4BA6A3819BB1949B0A341DBBCF59AA30C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054673Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:10:01.032{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AAAF26DAF1E629BA67BB992039AEA2B0,SHA256=50C557BBF079584642659682F4982CC0D74B331FF75DFBCC8EA25FAEB952CF22,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000281927Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:01.090{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A427D011B9D4D5D53FED56505BC206D5,SHA256=E5500E6F686DA71E6964ADC939FCB067D76179FFFF3BDED480004A82AFD60CB3,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000054675Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:10:00.322{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal51123-false10.0.1.12-8000- 23542300x800000000000000054674Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:10:02.126{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D21CB7936F7933575B6C8EAA6414FC56,SHA256=F2686687B297115A2DDA605A67B9633E743A0DED42BCE8448037834E9F5CC2A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000281928Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:02.105{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2DA77AFB14B4A8E92BEBEA57DD574019,SHA256=A1AFC6FCCA76AAE10EAFD10977D50B089B293547A7A7D53D59FE6DD1173A3E62,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054676Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:10:03.220{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D19D70B856E02525DF7BFD64281371CD,SHA256=CEB50E469B50F31398C4AA1441AEFF6B6BC88166A7FBFBC81BEC3A4CFB1BBC73,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000281930Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:03.820{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F24853C6C0013DBCCE0D60162DA70DB5,SHA256=BF20B35D9ACC8410A4480432532280E94A350249D84D08D5BA6B60B99D90B702,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000281929Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:03.136{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E87C44D11CA75BD9260AE28DBE423E7C,SHA256=24E987B74516525DE3A237E5EFB53651F129B7EFFA4B778B09E62C7A687D281C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054677Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:10:04.314{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1FD8062631EF2E6C773F5BCE632782F9,SHA256=2C3863ACD9379E9FDF08457F447E583C00AC9746503049BAE58232797A7809B1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000281934Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:01.789{F81F30E6-D97A-62DF-0B00-000000006F02}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local65073-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local389ldap 354300x8000000000000000281933Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:01.789{F81F30E6-D98A-62DF-2600-000000006F02}2568C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local65073-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local389ldap 354300x8000000000000000281932Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:01.073{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local65072-false10.0.1.12-8000- 23542300x8000000000000000281931Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:04.288{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6DF9804F3A500CF3D5824DF7E1E6B43F,SHA256=BC9FE4D997F93CB177FA670C1BD44F61F484144CF593ED5AC5657F1D7CB4B15F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054678Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:10:05.407{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C4DBD204E22A9014D0C4C9EEADF4B56,SHA256=080C9D74724E4FD4E4B12D43BC53715E28722E99B4C25C2B195F22D192A908F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000281935Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:05.334{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6513687D39641737E45D09CF483BF773,SHA256=D2770400A54E205FB79FE65ECDEDBC90AF3B87856D53545CE7793DFC0902A1E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054679Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:10:06.501{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=841FDAB1F8028C5AC9D382EF11028A4E,SHA256=D84F2A46C9269FBC9CE5754FB75E3E5F27E88CC41223AA0645B0AADDF5B35A61,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000281936Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:06.465{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF44A44A581499A3DD22998EB5E72077,SHA256=78A25468AFA370C5CA39DD100F1589A8B9C107553EE681F2709B5B09AFDA48B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054681Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:10:07.595{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5772AD9D6B752A2FC1E4452CDE243F81,SHA256=06E9393860F9680EBE9AE88E6A16A0F3BFA45A0ADA7B2E776A20295EE50341B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000281937Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:07.585{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F11631FAF1DC014CA1AED7733F2053C0,SHA256=79CAFC575B183C77A389FB321FB2F5AFFD0147586CF626885C62437763C9BEC5,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000054680Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:10:06.166{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal51124-false10.0.1.12-8000- 23542300x800000000000000054682Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:10:08.689{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=217E0A1AC4370F4AFD12A433BDF35836,SHA256=C6FFE2D636039250CA0A7D1A471B3012BB2D33016C02A3F2B702E86AAF54D0A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000281939Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:08.610{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D86ED8E073748FF4EB6352748BC077B4,SHA256=29E2A59D7A1EC3C3D138B57145BC83C048A8FD3B3BC14E67DFF334D09BB84409,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000281938Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:06.185{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local65074-false10.0.1.12-8000- 23542300x800000000000000054683Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:10:09.782{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=668E709E11C4AAD1C9343AAA5D17107C,SHA256=F6525A0518C54A15C7D147972DB111B23A4E7F83F2C14C72BEA2132D36E3AD0E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000281940Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:09.754{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A99D5680A9DDA3003143795E09EBAFCF,SHA256=84CDB76AE3831653229A07E303DE1F39D107EE01E42DF8F00E4714C8E583EE0E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054684Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:10:10.876{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83A5855EA0EDC7B2079B4A932A2B2E58,SHA256=8AF91A872C1C39B3B174E34BAB1A76791A8AF0FA8853FA42199882BE21C6F857,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000281941Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:10.807{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C5F48D9EB2C22B81177A7A49A425F6E,SHA256=04C4872AA4070C502396E245A435E9A74A8388C85D53B63D2365D27128C074B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054685Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:10:11.970{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98546BB779BCD14956798245D82B6FE2,SHA256=BEC4C1B62E9E659B02B027DE43B5D95E9072B5258859D1A9EF2E7A58C4CD7AE5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000281942Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:11.953{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F2FE1D462512537B79123AD19A7CD5B,SHA256=9D13322D405619C007C90F375CB3F7BA561E37301E615318C0426510F0D75A24,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000281943Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:12.990{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B78DA0829530B83E4ECC12391075160F,SHA256=91E67FCE435247FC2378D816991CA6E52BE3E9059B300D10DD4D0F70A9F19B0D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000054714Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:10:12.751{53069400-F5C4-62DF-C603-000000007002}24481516C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000054713Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:10:11.181{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal51125-false10.0.1.12-8000- 10341000x800000000000000054712Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:10:12.579{53069400-D97E-62DF-2900-000000007002}27802800C:\Windows\system32\conhost.exe{53069400-F5C4-62DF-C603-000000007002}2448C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054711Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:10:12.579{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054710Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:10:12.579{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054709Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:10:12.579{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054708Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:10:12.579{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054707Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:10:12.579{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054706Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:10:12.579{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054705Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:10:12.579{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054704Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:10:12.579{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054703Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:10:12.579{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054702Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:10:12.579{53069400-D97C-62DF-0500-000000007002}412540C:\Windows\system32\csrss.exe{53069400-F5C4-62DF-C603-000000007002}2448C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000054701Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:10:12.579{53069400-D97D-62DF-1E00-000000007002}19402768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53069400-F5C4-62DF-C603-000000007002}2448C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000054700Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:10:12.580{53069400-F5C4-62DF-C603-000000007002}2448C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53069400-D97C-62DF-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000054699Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:10:12.298{53069400-F5C4-62DF-C503-000000007002}38963644C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054698Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:10:12.079{53069400-D97E-62DF-2900-000000007002}27802800C:\Windows\system32\conhost.exe{53069400-F5C4-62DF-C503-000000007002}3896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054697Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:10:12.079{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054696Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:10:12.079{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054695Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:10:12.079{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054694Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:10:12.079{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054693Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:10:12.079{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054692Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:10:12.079{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054691Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:10:12.079{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054690Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:10:12.079{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054689Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:10:12.079{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054688Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:10:12.079{53069400-D97C-62DF-0500-000000007002}412540C:\Windows\system32\csrss.exe{53069400-F5C4-62DF-C503-000000007002}3896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000054687Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:10:12.079{53069400-D97D-62DF-1E00-000000007002}19402768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53069400-F5C4-62DF-C503-000000007002}3896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000054686Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:10:12.080{53069400-F5C4-62DF-C503-000000007002}3896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53069400-D97C-62DF-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000054742Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:10:13.923{53069400-D97E-62DF-2900-000000007002}27802800C:\Windows\system32\conhost.exe{53069400-F5C5-62DF-C803-000000007002}2936C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054741Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:10:13.923{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054740Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:10:13.923{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054739Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:10:13.923{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054738Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:10:13.923{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054737Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:10:13.923{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054736Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:10:13.923{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054735Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:10:13.923{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054734Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:10:13.923{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054733Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:10:13.923{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054732Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:10:13.923{53069400-D97C-62DF-0500-000000007002}4121248C:\Windows\system32\csrss.exe{53069400-F5C5-62DF-C803-000000007002}2936C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000054731Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:10:13.923{53069400-D97D-62DF-1E00-000000007002}19402768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53069400-F5C5-62DF-C803-000000007002}2936C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000054730Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:10:13.924{53069400-F5C5-62DF-C803-000000007002}2936C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{53069400-D97C-62DF-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000054729Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:10:13.425{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FEA6B60DF2A0FD874430EBCFC0C8024E,SHA256=9150CD10B5D1D3C1836B3D206F9708E666BA9CA607E76DD48FF7F1BA54E08A21,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054728Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:10:13.425{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61786D7EEB31C4836AB83F5901A194BA,SHA256=46121D8944BCCE76349168937B4C926949E5923898516A26305BC99796F7BB15,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000054727Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:10:13.251{53069400-D97E-62DF-2900-000000007002}27802800C:\Windows\system32\conhost.exe{53069400-F5C5-62DF-C703-000000007002}596C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054726Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:10:13.251{53069400-D97C-62DF-0500-000000007002}412540C:\Windows\system32\csrss.exe{53069400-F5C5-62DF-C703-000000007002}596C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000054725Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:10:13.251{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054724Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:10:13.251{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054723Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:10:13.251{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054722Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:10:13.251{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054721Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:10:13.251{53069400-D97D-62DF-1E00-000000007002}19402768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53069400-F5C5-62DF-C703-000000007002}596C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054720Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:10:13.251{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054719Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:10:13.251{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054718Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:10:13.251{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054717Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:10:13.251{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054716Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:10:13.251{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000054715Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:10:13.252{53069400-F5C5-62DF-C703-000000007002}596C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53069400-D97C-62DF-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000281944Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:11.275{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local65075-false10.0.1.12-8000- 10341000x800000000000000054757Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:10:14.564{53069400-D97E-62DF-2900-000000007002}27802800C:\Windows\system32\conhost.exe{53069400-F5C6-62DF-C903-000000007002}2308C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054756Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:10:14.564{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054755Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:10:14.564{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054754Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:10:14.564{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054753Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:10:14.564{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054752Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:10:14.564{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054751Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:10:14.564{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054750Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:10:14.564{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054749Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:10:14.564{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054748Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:10:14.564{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054747Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:10:14.564{53069400-D97C-62DF-0500-000000007002}4121248C:\Windows\system32\csrss.exe{53069400-F5C6-62DF-C903-000000007002}2308C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000054746Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:10:14.564{53069400-D97D-62DF-1E00-000000007002}19402768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53069400-F5C6-62DF-C903-000000007002}2308C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000054745Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:10:14.565{53069400-F5C6-62DF-C903-000000007002}2308C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53069400-D97C-62DF-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000054744Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:10:14.564{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24636476CEFC9807B35510BBE9D0F360,SHA256=46991C8E3381CCD913FF9D5E4E46226EFE4A40C961AAE6029E507BC2EC064B35,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000281945Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:14.136{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE5CF1E959F96EAD50AFDD4399F228F9,SHA256=5799CBF95236C17837EC6D96A81A8599CBDD1EF5109C75492ABCE4CD1AD00E96,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000054743Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:10:14.079{53069400-F5C5-62DF-C803-000000007002}29362652C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000054785Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:10:15.704{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0EF3836564598DB8FABDD0162135912D,SHA256=0E9723D4E41700ABE5617E53FBB53896F318FEE9828F1E522E893B861632074C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000054784Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:10:15.564{53069400-D97E-62DF-2900-000000007002}27802800C:\Windows\system32\conhost.exe{53069400-F5C7-62DF-CB03-000000007002}3588C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054783Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:10:15.564{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054782Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:10:15.564{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054781Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:10:15.564{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054780Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:10:15.564{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054779Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:10:15.564{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054778Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:10:15.564{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054777Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:10:15.564{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054776Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:10:15.564{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054775Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:10:15.564{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054774Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:10:15.564{53069400-D97C-62DF-0500-000000007002}412428C:\Windows\system32\csrss.exe{53069400-F5C7-62DF-CB03-000000007002}3588C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000054773Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:10:15.564{53069400-D97D-62DF-1E00-000000007002}19402768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53069400-F5C7-62DF-CB03-000000007002}3588C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000054772Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:10:15.564{53069400-F5C7-62DF-CB03-000000007002}3588C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53069400-D97C-62DF-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000281946Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:15.168{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1BB1CE8C94D44EC37486A34099EED68D,SHA256=087BAC15BCD8FA2A3EA851BDE3A62E8308D921AC839FF98016183A90CA4DEBE9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000054771Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:10:15.298{53069400-F5C7-62DF-CA03-000000007002}956384C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054770Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:10:15.064{53069400-D97E-62DF-2900-000000007002}27802800C:\Windows\system32\conhost.exe{53069400-F5C7-62DF-CA03-000000007002}956C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054769Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:10:15.064{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054768Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:10:15.064{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054767Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:10:15.064{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054766Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:10:15.064{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054765Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:10:15.064{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054764Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:10:15.064{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054763Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:10:15.064{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054762Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:10:15.064{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054761Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:10:15.064{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054760Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:10:15.064{53069400-D97C-62DF-0500-000000007002}412428C:\Windows\system32\csrss.exe{53069400-F5C7-62DF-CA03-000000007002}956C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000054759Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:10:15.064{53069400-D97D-62DF-1E00-000000007002}19402768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53069400-F5C7-62DF-CA03-000000007002}956C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000054758Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:10:15.065{53069400-F5C7-62DF-CA03-000000007002}956C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53069400-D97C-62DF-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000054786Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:10:16.704{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E90048FDAA4FCD49EC0C7F9CE9425C63,SHA256=1714B9D7E2F0D1371B69C9C15C9D952949EB96E69D4E08904260BDBC114FF6DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000281947Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:16.202{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B69DC595EA2E0E7D0BC4051743346CED,SHA256=334981A408148B82926B23424E3BE05ABF11B6D2C9284A2C152C36EB6E89E79F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054789Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:10:17.798{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69CBA0808CED20B1CF10A912874AF811,SHA256=7DD5E173D8676DEEB502D75F25437E9B540CDAF73E0D4555A3CD614739B2AB45,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000054788Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:10:16.181{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal51126-false10.0.1.12-8000- 23542300x800000000000000054787Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:10:17.704{53069400-D97D-62DF-1E00-000000007002}1940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=36FFF5D66BFBC1889501510DAF7050B0,SHA256=EFA02112321D2BF3B9A4BDC5180672A219262B4464F10EBCAEE9948732151A28,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000281953Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:17.885{F81F30E6-D97C-62DF-0D00-000000006F02}9123628C:\Windows\system32\svchost.exe{F81F30E6-F461-62DF-5305-000000006F02}9612C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000281952Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:17.248{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD68C391B7DCEBDCE96A035B6D97E6C4,SHA256=5F8C25B0B5B307B0A562BC65E501E4BDB1D5132C5B397B3CB5E9E778C64BE7BD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000281951Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:17.232{F81F30E6-D97A-62DF-0B00-000000006F02}640844C:\Windows\system32\lsass.exe{F81F30E6-D978-62DF-0100-000000006F02}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+97d32|C:\Windows\system32\kerberos.DLL+7a118|C:\Windows\system32\kerberos.DLL+1454f|C:\Windows\system32\lsasrv.dll+2f5b1|C:\Windows\system32\lsasrv.dll+2d496|C:\Windows\system32\lsasrv.dll+32d29|C:\Windows\system32\lsasrv.dll+30677|C:\Windows\system32\lsasrv.dll+2f5b1|C:\Windows\system32\lsasrv.dll+176fd|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e 10341000x8000000000000000281950Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:17.232{F81F30E6-D97A-62DF-0B00-000000006F02}640844C:\Windows\system32\lsass.exe{F81F30E6-D97C-62DF-1600-000000006F02}1312C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ee3c|C:\Windows\system32\lsasrv.dll+e76d4|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281949Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:17.117{F81F30E6-D97A-62DF-0B00-000000006F02}640844C:\Windows\system32\lsass.exe{F81F30E6-D97C-62DF-1500-000000006F02}1228C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ee3c|C:\Windows\system32\lsasrv.dll+e76d4|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281948Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:17.117{F81F30E6-D97A-62DF-0B00-000000006F02}6406704C:\Windows\system32\lsass.exe{F81F30E6-D97C-62DF-1500-000000006F02}1228C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ee3c|C:\Windows\system32\lsasrv.dll+e76d4|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000054790Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:10:18.782{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2EC5900A1737541B7C706B9AA119051,SHA256=B714D4ED030FA45D3664DEF5D80EA672F7BEC6F44E3B8B70851317FC00E4CF3D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000281965Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:16.259{F81F30E6-D978-62DF-0100-000000006F02}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:513a:aaff:ea8e:f17win-dc-ctus-attack-range-502.attackrange.local65080-truefe80:0:0:0:513a:aaff:ea8e:f17win-dc-ctus-attack-range-502.attackrange.local445microsoft-ds 354300x8000000000000000281964Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:16.259{F81F30E6-D978-62DF-0100-000000006F02}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:513a:aaff:ea8e:f17win-dc-ctus-attack-range-502.attackrange.local65080-truefe80:0:0:0:513a:aaff:ea8e:f17win-dc-ctus-attack-range-502.attackrange.local445microsoft-ds 354300x8000000000000000281963Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:16.150{F81F30E6-D97A-62DF-0B00-000000006F02}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local65079-false10.0.1.14win-dc-ctus-attack-range-502.attackrange.local389ldap 354300x8000000000000000281962Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:16.150{F81F30E6-D97C-62DF-1500-000000006F02}1228C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local65079-false10.0.1.14win-dc-ctus-attack-range-502.attackrange.local389ldap 354300x8000000000000000281961Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:16.142{F81F30E6-D97A-62DF-0B00-000000006F02}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:513a:aaff:ea8e:f17win-dc-ctus-attack-range-502.attackrange.local65078-truefe80:0:0:0:513a:aaff:ea8e:f17win-dc-ctus-attack-range-502.attackrange.local389ldap 354300x8000000000000000281960Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:16.142{F81F30E6-D97C-62DF-1500-000000006F02}1228C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:513a:aaff:ea8e:f17win-dc-ctus-attack-range-502.attackrange.local65078-truefe80:0:0:0:513a:aaff:ea8e:f17win-dc-ctus-attack-range-502.attackrange.local389ldap 354300x8000000000000000281959Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:16.141{F81F30E6-D97A-62DF-0B00-000000006F02}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:513a:aaff:ea8e:f17win-dc-ctus-attack-range-502.attackrange.local65077-truefe80:0:0:0:513a:aaff:ea8e:f17win-dc-ctus-attack-range-502.attackrange.local49666- 354300x8000000000000000281958Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:16.141{F81F30E6-D97A-62DF-0B00-000000006F02}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:513a:aaff:ea8e:f17win-dc-ctus-attack-range-502.attackrange.local65077-truefe80:0:0:0:513a:aaff:ea8e:f17win-dc-ctus-attack-range-502.attackrange.local49666- 354300x8000000000000000281957Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:16.140{F81F30E6-D97C-62DF-0D00-000000006F02}912C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:513a:aaff:ea8e:f17win-dc-ctus-attack-range-502.attackrange.local65076-truefe80:0:0:0:513a:aaff:ea8e:f17win-dc-ctus-attack-range-502.attackrange.local135epmap 354300x8000000000000000281956Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:16.140{F81F30E6-D97A-62DF-0B00-000000006F02}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:513a:aaff:ea8e:f17win-dc-ctus-attack-range-502.attackrange.local65076-truefe80:0:0:0:513a:aaff:ea8e:f17win-dc-ctus-attack-range-502.attackrange.local135epmap 23542300x8000000000000000281955Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:18.266{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4ACCF567C259EA8ABEFE9D3301168432,SHA256=17C37F2DAE34294499B30A97C291F0ADAB444029AEE76E28B1FDFBB5A51426C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000281954Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:18.216{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=95808FD94D0EF32F7CDE654E52AE71BF,SHA256=D93E5F4036640715551122465C25189A5D9AF8B308FCE61CCD841A2527A0FAC0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054791Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:10:19.876{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2264C88385154D64BB5678F924069F6,SHA256=DD007A181C202A0A24429AE93CD77FCF43CF329B469EFAA2CB46137C76FECFCC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000281967Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:17.070{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local65081-false10.0.1.12-8000- 23542300x8000000000000000281966Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:19.315{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1772EE05A8A5D8AACD9768832F3FA81E,SHA256=55A408F2E39B9F64E3BE203DBF42964E674E72E2168AF1AA9948021C0CC5A20E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054792Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:10:20.970{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9855C5AE5646E621062123C81114986,SHA256=712BA688A713009AAB2DAE85F615E0B1574E201B326AB9B515CB0DFDFE35F6AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000281968Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:20.363{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D90642E9AC0AC64B722DBDF514EB45CA,SHA256=9E22564BBADBF54468F6D16DA4EDFB7A0F9A2E76CA3D6F7E5130E9FD1CFAB61D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000281971Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:21.581{F81F30E6-D97C-62DF-0D00-000000006F02}9123628C:\Windows\system32\svchost.exe{F81F30E6-F464-62DF-5605-000000006F02}1196C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281970Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:21.581{F81F30E6-D97C-62DF-0D00-000000006F02}9123628C:\Windows\system32\svchost.exe{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000281969Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:21.512{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F819976673CB7D2CFB06359B4261913C,SHA256=A561457A322909307AADE43C83E42F0F4FE305DB79A16DBF109B8331DFB87E49,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000281972Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:22.542{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C4BB42181B5D9F0731DC46FCAD95D11,SHA256=DEDDCDD25725C88F86D6E2B1F039E7E6C111513968EA7701612D13327416B22F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054793Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:10:22.064{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A7B0621D0CB4BE21D53D2086F2BF9E0,SHA256=F45046D40DEFC06C4EC703E9E8F2D7407828B5C34D1144DC8F61ED9352874D94,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000281973Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:23.594{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3231B87039A3C12CC11731E6A9343579,SHA256=2376C1BE41F66F4AEBB27FA450A9A1CB61EDE28D750264335DB74B61EF702E81,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000054795Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:10:22.197{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal51127-false10.0.1.12-8000- 23542300x800000000000000054794Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:10:23.157{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4B4828FED9C66078C426BF04EBA9891,SHA256=F7D67ED4CB2193C2F18CB106ED3D3CD5C8D6AB3A2955F2E399C6A5046807BAEF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000281975Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:22.201{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local65082-false10.0.1.12-8000- 23542300x8000000000000000281974Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:24.640{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5142D4F5F997723C94D70A5C8B0FB74,SHA256=8612307F65ECB10EB6334D6464E3FC9D619E75FE7F03AD5343A58E4623AD969C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054796Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:10:24.251{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D78125618F87BA8F155FD35D11B1FED7,SHA256=88F6AE14FC5A165471B41C99FF846328490CF85CFEA574F9258164FAE6E1888D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000281976Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:25.676{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9EE17B552D8997620587178D1EA92BF,SHA256=C2E1D6A38DDEDB46BC0E0E063542150F8AE2E515440E1BD72EFB13069F738887,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054797Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:10:25.345{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4D9600D52FF3140F9A1726C5BB9F63A,SHA256=4BAB9D733A1493049AF82E8FE474E448A1588AA5DEFEFF6F4C6968AB08330B4D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000281977Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:26.807{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=932630D4DB65740596CF3FD9F34FB0C9,SHA256=F750F71D2AF4AA03DE5694E7B0809468B4BC8F62A699026465A574534A511632,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054798Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:10:26.439{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86E2DBE0BAC07A619165EBA6112A4D08,SHA256=758DC11DFA7D6D9087B48379259DC087054828AA271ACFA7CE6A1EF1CCED5580,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000281978Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:27.854{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=242BAACE3F2DABF629C6CD784C91D119,SHA256=CE6DB8CA5668AF69AE5633EEF5C3963C73B8A5B5712797E8270BAB0663E84C30,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054799Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:10:27.532{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CDB99C661D91DA596CD16584EB1ADFAF,SHA256=E3DC0616FE2D9F95CABDC6C1B0506382DB8B4AE43AE2AE9805B88B7729F38FB0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000281979Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:28.953{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B8E36CC1E40F4B6D398990ABF1CA1F7,SHA256=AFB40E8136E84E5FDA7BBB5B3A746435605D33F649830B047D0A3127C6C9B985,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054800Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:10:28.626{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27CE91391F650EDA1A5EEF8A4105293B,SHA256=1EEFC91C0A8CC7F0CD6B9FF956144CEEE2D622D1A301D42738262439439AEBA9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000281981Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:29.987{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2161E950A1A58A35A3D3D54AD950E80,SHA256=5510DCDF0ADD9B76781F9EC2BBCB6AD7F19683BC8D8FFA9D6E0E9CCD5FAA1DDB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054802Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:10:29.720{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9AAE7A0DA38A89F9608F6242FA8F5B90,SHA256=13F251E40A79868022ABB80368603703DB8C38C34895485D1892FF74C73E57B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000281980Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:29.104{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=826DEFE6871D76C40E08673088B645A0,SHA256=92A1BDC644105705BEF4BA53B380C6591ED38D5D7651B68A441D6B7CDA3B9AEA,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000054801Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:10:27.306{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal51128-false10.0.1.12-8000- 23542300x800000000000000054803Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:10:30.814{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4FFFCCA45999E82689D278634FDAB2D4,SHA256=C549F397BDCBCCBBD7849C98BBA19E1D83AF7E5516163C5E3E1038C9DD0F2467,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054804Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:10:31.907{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25BFF2198BEEB9E4EDE5DD9CE83DED2F,SHA256=10340B475D3271E1C6CD06E07E165645ECF601F015CFA6090EC37FD3E0C780EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000281984Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:31.218{F81F30E6-D98A-62DF-2E00-000000006F02}2780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=0164DE1BBA62AFD21A80C29DFD5A9310,SHA256=C615076F5CF0662C7C439FA71A7729F5D7D05821F91CC6E42A5B4E83554CCF80,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000281983Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:31.033{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36304A8CA7E0CDB2A919AA432144DF8D,SHA256=F47C7A64B6A64713B5C01DF2906DA2F64106E4B9DEE7466AA3CA35FEAB942158,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000281982Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:28.195{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local65083-false10.0.1.12-8000- 10341000x8000000000000000282003Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:32.985{F81F30E6-F5D8-62DF-8205-000000006F02}997210080C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282002Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:32.752{F81F30E6-D98B-62DF-3600-000000006F02}31323152C:\Windows\system32\conhost.exe{F81F30E6-F5D8-62DF-8205-000000006F02}9972C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282001Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:32.750{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282000Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:32.749{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281999Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:32.749{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281998Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:32.749{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281997Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:32.749{F81F30E6-D97A-62DF-0500-000000006F02}41292C:\Windows\system32\csrss.exe{F81F30E6-F5D8-62DF-8205-000000006F02}9972C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000281996Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:32.749{F81F30E6-D98A-62DF-2E00-000000006F02}27803956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F81F30E6-F5D8-62DF-8205-000000006F02}9972C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000281995Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:32.748{F81F30E6-F5D8-62DF-8205-000000006F02}9972C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F81F30E6-D97A-62DF-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000281994Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:32.316{F81F30E6-F5D8-62DF-8105-000000006F02}20606920C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281993Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:32.085{F81F30E6-D98B-62DF-3600-000000006F02}31323152C:\Windows\system32\conhost.exe{F81F30E6-F5D8-62DF-8105-000000006F02}2060C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281992Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:32.085{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281991Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:32.085{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281990Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:32.085{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281989Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:32.085{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281988Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:32.085{F81F30E6-D97A-62DF-0500-000000006F02}412540C:\Windows\system32\csrss.exe{F81F30E6-F5D8-62DF-8105-000000006F02}2060C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000281987Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:32.085{F81F30E6-D98A-62DF-2E00-000000006F02}27803956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F81F30E6-F5D8-62DF-8105-000000006F02}2060C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000281986Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:32.086{F81F30E6-F5D8-62DF-8105-000000006F02}2060C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{F81F30E6-D97A-62DF-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000281985Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:32.050{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D97FC5E3EA283D096C7182F6AC27344,SHA256=E81A1BB365205EDA997F2500C35395A2413CBBC860EBFA5B5F3A49BFDBDC097D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000282012Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:33.416{F81F30E6-D98B-62DF-3600-000000006F02}31323152C:\Windows\system32\conhost.exe{F81F30E6-F5D9-62DF-8305-000000006F02}9224C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282011Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:33.416{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282010Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:33.416{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282009Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:33.416{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282008Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:33.416{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282007Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:33.416{F81F30E6-D97A-62DF-0500-000000006F02}412428C:\Windows\system32\csrss.exe{F81F30E6-F5D9-62DF-8305-000000006F02}9224C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000282006Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:33.416{F81F30E6-D98A-62DF-2E00-000000006F02}27803956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F81F30E6-F5D9-62DF-8305-000000006F02}9224C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000282005Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:33.416{F81F30E6-F5D9-62DF-8305-000000006F02}9224C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F81F30E6-D97A-62DF-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000282004Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:33.101{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=075B211E62A502694B329BB92F73193C,SHA256=AB80BE24FEB988FB0877D13E9AC26D905FA7158E026377943F56D614F3C8D799,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054805Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:10:33.001{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=627944F5D9E037EF04716285FDB332C6,SHA256=FA51AE8F8B92B1BDA7E9EBFA4FB11C8B662928B2E6646BEA370DC53B1A587D1E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000282033Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:34.931{F81F30E6-F5DA-62DF-8505-000000006F02}777610876C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000282032Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:34.868{F81F30E6-D97C-62DF-1000-000000006F02}448NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=3FF0ACA990DDE0686B5917A49CE080EC,SHA256=E2AD1DB738070A98D3B930C7D221947C874B701690F1B5C1242748B9C089A742,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000282031Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:34.751{F81F30E6-D98B-62DF-3600-000000006F02}31323152C:\Windows\system32\conhost.exe{F81F30E6-F5DA-62DF-8505-000000006F02}7776C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282030Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:34.749{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282029Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:34.749{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282028Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:34.749{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282027Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:34.749{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282026Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:34.749{F81F30E6-D97A-62DF-0500-000000006F02}41292C:\Windows\system32\csrss.exe{F81F30E6-F5DA-62DF-8505-000000006F02}7776C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000282025Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:34.748{F81F30E6-D98A-62DF-2E00-000000006F02}27803956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F81F30E6-F5DA-62DF-8505-000000006F02}7776C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000282024Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:34.748{F81F30E6-F5DA-62DF-8505-000000006F02}7776C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F81F30E6-D97A-62DF-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000282023Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:34.485{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=624CCACAC46AA9E5EBE0F1806C1CF3AC,SHA256=149721E01B6D1B2B536178A09610E9824EA046E6E78AE7E3E8FE6ABEC8454D30,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000282022Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:34.269{F81F30E6-F5DA-62DF-8405-000000006F02}1027610272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000282021Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:34.253{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B622E410983D21AF871A6F9EBF5A2B7C,SHA256=37E1A1EB0B32A0DDD0614210C4E55252F3C07F8C232B1F02C2E6FE97952EABEB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054809Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:10:34.863{53069400-D97D-62DF-1C00-000000007002}1896NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0923b0b66bc46ec04\channels\health\respondent-20220726120936-117MD5=F10909D358012860607A88999540BE61,SHA256=618099B8C52552D13629F748BAC7127C20F9D45615160D64360388A771E36D7B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054808Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:10:34.110{53069400-D97D-62DF-1100-000000007002}980NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=545CDA59AE7AF19998693A1C586C5562,SHA256=CE83BB05F4A56FAFB6D9C18A2E40DBC5D2FB30DC13516AAED533A8D6B6512FCE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054807Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:10:34.095{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12D0B63B0486836DC9327FDA2B2B2F86,SHA256=091DBF40E1FE7BC41C29F8F32EB2DA0663EA047A06DEA29F722C521415D7EB07,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000054806Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:10:33.088{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal51129-false10.0.1.12-8000- 10341000x8000000000000000282020Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:34.084{F81F30E6-D98B-62DF-3600-000000006F02}31323152C:\Windows\system32\conhost.exe{F81F30E6-F5DA-62DF-8405-000000006F02}10276C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282019Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:34.084{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282018Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:34.084{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282017Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:34.084{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282016Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:34.084{F81F30E6-D97A-62DF-0500-000000006F02}412540C:\Windows\system32\csrss.exe{F81F30E6-F5DA-62DF-8405-000000006F02}10276C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000282015Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:34.084{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282014Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:34.084{F81F30E6-D98A-62DF-2E00-000000006F02}27803956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F81F30E6-F5DA-62DF-8405-000000006F02}10276C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000282013Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:34.085{F81F30E6-F5DA-62DF-8405-000000006F02}10276C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F81F30E6-D97A-62DF-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000282050Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:35.983{F81F30E6-D98B-62DF-3600-000000006F02}31323152C:\Windows\system32\conhost.exe{F81F30E6-F5DB-62DF-8705-000000006F02}10492C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282049Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:35.983{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282048Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:35.983{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282047Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:35.983{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282046Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:35.983{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282045Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:35.983{F81F30E6-D97A-62DF-0500-000000006F02}412428C:\Windows\system32\csrss.exe{F81F30E6-F5DB-62DF-8705-000000006F02}10492C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000282044Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:35.983{F81F30E6-D98A-62DF-2E00-000000006F02}27803956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F81F30E6-F5DB-62DF-8705-000000006F02}10492C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000282043Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:35.984{F81F30E6-F5DB-62DF-8705-000000006F02}10492C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F81F30E6-D97A-62DF-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000282042Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:35.430{F81F30E6-D98B-62DF-3600-000000006F02}31323152C:\Windows\system32\conhost.exe{F81F30E6-F5DB-62DF-8605-000000006F02}10768C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282041Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:35.430{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282040Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:35.430{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282039Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:35.430{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282038Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:35.430{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282037Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:35.430{F81F30E6-D97A-62DF-0500-000000006F02}412540C:\Windows\system32\csrss.exe{F81F30E6-F5DB-62DF-8605-000000006F02}10768C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000282036Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:35.430{F81F30E6-D98A-62DF-2E00-000000006F02}27803956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F81F30E6-F5DB-62DF-8605-000000006F02}10768C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000282035Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:35.431{F81F30E6-F5DB-62DF-8605-000000006F02}10768C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F81F30E6-D97A-62DF-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000282034Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:35.299{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7C25481CA6C4ADFDEA65482C47EE448,SHA256=73A6A952E14617C86A533CDFF0E54D2631141FB7F834F3BA9048C083A23D7409,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054811Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:10:35.876{53069400-D97D-62DF-1C00-000000007002}1896NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0923b0b66bc46ec04\channels\health\surveyor-20220726120934-118MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054810Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:10:35.187{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3843E3F67FE42B4D86D1CB70DF31BBE,SHA256=A3263FA349571C09BD372E3D1A0406217E55EBF8807AF0C495695EAE45783469,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054812Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:10:36.284{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16F55586F49429CE9E462A2652A4BECF,SHA256=0A513F512435BA5D47D6888C4F6D112AB5EDBF7C6A911B02D5CB95E0FBCBD06A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000282051Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:36.351{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17FDDA4D5D20CEC74682B6E4E1AE4AA1,SHA256=3A055C501DBC147FBD4EB78C025B8A941E8A5378CDBCB91485A43789AFA86C18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054813Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:10:37.379{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA9A79EBB8B60387C8276B0692F05BA3,SHA256=1E2FFFE17D716EFB73374B6D709BEBE0306088A8A79099232570534715C8ED37,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000282053Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:37.383{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CBD9ECCCC2D768042D5F962E18BC806,SHA256=7923A3ED6946AFC3D273F528CA50D27BC89D60301D12A8EA39AD2150CD2A4894,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000282052Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:34.224{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local65084-false10.0.1.12-8000- 23542300x800000000000000054814Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:10:38.473{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=063E9790177B69A127D35EC2BA0E246D,SHA256=F7BFF9D1D0EEAE908C3FA284791DC62133EEC51D24827F36AF4DB08A1125E5B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000282054Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:38.529{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF63CBBA2AFBAD9E0CCF6B7AC8D9EE6B,SHA256=182EB1673F054B836B9FD7AA9D0DDD11277520D3D8A22A1A1CBB74FC57542CF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054816Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:10:39.567{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A9D9BA4C07289415608179C8BEF38C3,SHA256=8C17B0C6106461BED1DD86398C6DB2D61AE94AFE16325590FD334CF4B855DAF3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000282055Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:39.645{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43DFDA3C241C7A626A7E1288652675C0,SHA256=FA108F093EF558D5C48A7246C3044112D92C367FC430B807730843CE7A1B8769,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000054815Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:10:38.122{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal51130-false10.0.1.12-8000- 23542300x800000000000000054817Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:10:40.661{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33E16091EDFFDF0C349AA23F650486C9,SHA256=2FD5477BB2AB58299974896369FB8CF592CB85857A36F0828C9B08A58D8D1705,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000282056Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:40.712{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3AD9BA8C53700619B80B074C8457AE0,SHA256=FFA59CE610E4458812162CCB3144323C07DEB3080EE90A262D553BC5ADFB3164,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054818Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:10:41.754{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C2A3981A4D07C9BB59743D1E028FAD4,SHA256=4420ADA207D3A457F6E656EC78285ECF495184E777228B5B1F3BB3B955F29795,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000282057Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:41.844{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C19BBC043ADCBB8C6CA8919BF81ED3EC,SHA256=39BA928950A50C8D1CBBF05400D8462D0B1FA5CA11BE37A1058FDE1307442A9F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054819Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:10:42.848{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3AFA343E0C4BE2046F1C801DE60A17B6,SHA256=CBA06CCD3CFB58B8D7B5D164F99C6FAA8B9336EC536E244DEB72F199B884AC50,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000282059Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:42.878{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD77BC2162CA69594B3AEB2FB0D9A9BC,SHA256=21BB547FF7547ADD1F7063178C3B62674590E9D518DF132783431D9026117949,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000282058Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:40.103{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local65085-false10.0.1.12-8000- 23542300x800000000000000054820Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:10:43.942{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=300802B41F314031A611C5FC2323B012,SHA256=3B37AAB9F7501478B939E7843CA12B8883C5D7AC7BB96F94C6387B4F8888D8F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000282069Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:43.993{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27660849C5661AEC9A1A4F9455DF7931,SHA256=E6363797A4348E19A0387C42642BE2FF52A406701BCB4FF09AA5C36F2AB8FA95,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000282068Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:43.962{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-DA3F-62DF-B800-000000006F02}4908C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282067Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:43.962{F81F30E6-D9BD-62DF-9000-000000006F02}46887284C:\Windows\Explorer.EXE{F81F30E6-DA3F-62DF-B800-000000006F02}4908C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282066Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:43.962{F81F30E6-D9BD-62DF-9000-000000006F02}46887284C:\Windows\Explorer.EXE{F81F30E6-DA3F-62DF-B800-000000006F02}4908C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282065Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:43.962{F81F30E6-D9BD-62DF-9000-000000006F02}46887284C:\Windows\Explorer.EXE{F81F30E6-DA3F-62DF-B800-000000006F02}4908C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282064Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:43.962{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DA3F-62DF-B800-000000006F02}4908C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282063Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:43.962{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DA3F-62DF-B800-000000006F02}4908C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282062Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:43.962{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DA3F-62DF-B800-000000006F02}4908C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282061Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:43.962{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DA3F-62DF-B800-000000006F02}4908C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000282060Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:43.877{F81F30E6-D9BD-62DF-9000-000000006F02}4688ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Local\Microsoft\PenWorkspace\DiscoverCacheData.datMD5=58FDE1A71D2ADB272DABB3A92B406559,SHA256=555933C7D5D49EBF3648EE1EF420E0C71835139B8A8DEF8FBA64C9EBE48B0C32,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000282070Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:45.043{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC40BA7C889C29E5C57FAB511B4D5DFF,SHA256=A506B61A6ECFFCF40F3010BD8AF43D221C27ED7433F08A06AED6972FABA25F48,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000054822Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:10:44.153{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal51131-false10.0.1.12-8000- 23542300x800000000000000054821Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:10:45.036{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4CE52A5473B735CDAE9C7A8332784C6,SHA256=33C4BCE38D4853C6F8FC8429BDE458102B8EF6FD74E8670EA8DC2347766617C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000282071Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:46.176{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD8A894859D64B1D937C74E70C32C5D3,SHA256=0F3B9DE06079A15A8FEEA08DAC791F1A263850452EADC592B48CA99EA9CCE8BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054824Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:10:46.207{53069400-D97D-62DF-1E00-000000007002}1940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=179B82772CA5CC0B7A1E30B10EC3DA68,SHA256=BB39CA45713EEF29F8964A50A9025571F90083A2F6169622A7CAAB4EAC5409CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054823Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:10:46.129{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B1CF858760C66E209F53F6FE6EB47E9,SHA256=DE5051DA075CCCCAC1E30F1381082ABFAEACD058EB120BBFF1449245BBDA359F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000282072Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:47.339{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76A245476D31E45C32C6A4BA19CF61D4,SHA256=243E1AA46B32725D0BD466E2CEB333EE03DB2D478046E9F90A4B5BFB16FF37A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054827Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:10:47.848{53069400-D97D-62DF-1E00-000000007002}1940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=14553DF3CE7E78285CC5012FBBEFA813,SHA256=9527958DA0C4C6CC5722DD2574FE5A703CF15D995A0BE3F5ACA13FAE545A2497,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000054826Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:10:46.262{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal51132-false10.0.1.12-8089- 23542300x800000000000000054825Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:10:47.223{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1048099826BD475A66B0B2D9718F1C6,SHA256=9ACBB770E6790144E4783ACE9F443CC4321685F6BF185085DBDD51CD249FEAA6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000282074Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:48.459{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9AA20F807519B4E307640C675675A109,SHA256=8BB7032BB08158E302727734A4CA7CF3C7579079079AEDBA1A60418C00BF7C14,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000282073Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:45.215{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local65086-false10.0.1.12-8000- 23542300x800000000000000054828Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:10:48.317{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D37AB242108F0829F606E8FF8B683A76,SHA256=834EEAF53F210AF0B067D88A2E13815EFCDFCED5249A874533AD40CD12584399,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054829Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:10:49.410{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=58E37716FC6F55FE1E4725ABAB5176C9,SHA256=4E0A230DFC78F4E2A6B84FC225D866692458F06E2F1E81B11E2B2807BA794E98,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000282083Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:49.490{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89045DF29FB44F7CA1D856F621B05730,SHA256=A197FD8337782E72FF90CD9062ED9E2F3F6CE61467E97B804FC2A3E660D31581,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000282082Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-SetValue2022-07-26 14:10:49.490{F81F30E6-D98A-62DF-2A00-000000006F02}2640C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\AA1F4EAC-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_AA1F4EAC-0000-0000-0000-100000000000.XML 13241300x8000000000000000282081Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-SetValue2022-07-26 14:10:49.474{F81F30E6-D98A-62DF-2A00-000000006F02}2640C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\EDB59A4A-4A6E-4084-9A54-2EC7F36D7D11\Config SourceDWORD (0x00000001) 13241300x8000000000000000282080Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-SetValue2022-07-26 14:10:49.474{F81F30E6-D98A-62DF-2A00-000000006F02}2640C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\EDB59A4A-4A6E-4084-9A54-2EC7F36D7D11\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_EDB59A4A-4A6E-4084-9A54-2EC7F36D7D11.XML 10341000x8000000000000000282079Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:49.474{F81F30E6-D97A-62DF-0B00-000000006F02}640692C:\Windows\system32\lsass.exe{F81F30E6-D98A-62DF-2A00-000000006F02}2640C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ee3c|C:\Windows\system32\lsasrv.dll+e76d4|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282078Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:49.474{F81F30E6-D97A-62DF-0B00-000000006F02}640692C:\Windows\system32\lsass.exe{F81F30E6-D98A-62DF-2A00-000000006F02}2640C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ee3c|C:\Windows\system32\lsasrv.dll+e76d4|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000282077Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:49.261{F81F30E6-D98A-62DF-2900-000000006F02}2592NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f0cc84e036a5373b\channels\health\respondent-20220726120948-117MD5=369DD308E953FB115558C25A87FA7436,SHA256=F8D888C61BEF90997E9DA9024DED7AC04FA2757575784335A529296D09245F18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000282076Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:49.174{F81F30E6-D98A-62DF-2E00-000000006F02}2780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=375770933B088FA1013E9C17F7ACFA9C,SHA256=12DC730ED0C3CEF15E2072F184E79ED116E6C7FEA32581084F03B1ADA228E22B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000282075Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:49.121{F81F30E6-D97A-62DF-0B00-000000006F02}640692C:\Windows\system32\lsass.exe{F81F30E6-D97C-62DF-1600-000000006F02}1312C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ee3c|C:\Windows\system32\lsasrv.dll+e76d4|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000054830Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:10:50.504{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4FE4721D4AC0B5DF71B82C31E6B544EB,SHA256=A0D9B5C47716583E6E793C160A8CB72623DAF10E009B4D6855F28A4BD9AA3591,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000282091Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:50.520{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8F0F2CD1D5D56C8E5DEECB80F9ECCC3,SHA256=31302B4A3A462DE403A911979DFC3985911AAFD83070D45B0EA5E2D62A366EEF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000282090Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:48.182{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local65088-false10.0.1.12-8089- 354300x8000000000000000282089Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:48.146{F81F30E6-D978-62DF-0100-000000006F02}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:513a:aaff:ea8e:f17win-dc-ctus-attack-range-502.attackrange.local65087-truefe80:0:0:0:513a:aaff:ea8e:f17win-dc-ctus-attack-range-502.attackrange.local445microsoft-ds 354300x8000000000000000282088Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:48.146{F81F30E6-D978-62DF-0100-000000006F02}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:513a:aaff:ea8e:f17win-dc-ctus-attack-range-502.attackrange.local65087-truefe80:0:0:0:513a:aaff:ea8e:f17win-dc-ctus-attack-range-502.attackrange.local445microsoft-ds 10341000x8000000000000000282087Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:50.319{F81F30E6-D97A-62DF-0B00-000000006F02}6406704C:\Windows\system32\lsass.exe{F81F30E6-D98A-62DF-2A00-000000006F02}2640C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ee3c|C:\Windows\system32\lsasrv.dll+e76d4|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282086Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:50.319{F81F30E6-D97A-62DF-0B00-000000006F02}6406704C:\Windows\system32\lsass.exe{F81F30E6-D98A-62DF-2A00-000000006F02}2640C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ee3c|C:\Windows\system32\lsasrv.dll+e76d4|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282085Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:50.319{F81F30E6-D97A-62DF-0B00-000000006F02}6406704C:\Windows\system32\lsass.exe{F81F30E6-D98A-62DF-2A00-000000006F02}2640C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ee3c|C:\Windows\system32\lsasrv.dll+e76d4|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000282084Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:50.274{F81F30E6-D98A-62DF-2900-000000006F02}2592NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f0cc84e036a5373b\channels\health\surveyor-20220726120946-118MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054831Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:10:51.598{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78E4B244E4382042A5121BD096371807,SHA256=B7F70DC11142F3DABF60509D5668BF9B1FE815AD535C9C8C4494DD4AEB023A16,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000282106Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:51.556{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04AB2F870BD53E47553A57F659D7ABB6,SHA256=657E11B2F2E6C0D05F3B9C01209F345EEC707318046764DA88B7D2EADD50AF73,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000282105Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:49.342{F81F30E6-D97A-62DF-0B00-000000006F02}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local65090-false10.0.1.14win-dc-ctus-attack-range-502.attackrange.local389ldap 354300x8000000000000000282104Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:49.342{F81F30E6-D98A-62DF-2A00-000000006F02}2640C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local65090-false10.0.1.14win-dc-ctus-attack-range-502.attackrange.local389ldap 354300x8000000000000000282103Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:48.520{F81F30E6-D98A-62DF-2A00-000000006F02}2640C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMudptruetruea00:10e:0:0:9860:88a4:89ca:ffff-62588-truee000:fc:cb4c:8974:2430:8364:2428:49-5355llmnr 354300x8000000000000000282102Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:48.520{F81F30E6-D98A-62DF-2A00-000000006F02}2640C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMudptruetruefe80:0:0:0:513a:aaff:ea8e:f17win-dc-ctus-attack-range-502.attackrange.local62588-trueff02:0:0:0:0:0:1:3-5355llmnr 354300x8000000000000000282101Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:48.517{F81F30E6-D98A-62DF-2D00-000000006F02}2676C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local51290-false10.0.0.2-53domain 354300x8000000000000000282100Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:48.517{F81F30E6-D98A-62DF-2A00-000000006F02}2640C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMudptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local54314-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local53domain 354300x8000000000000000282099Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:48.500{F81F30E6-D97C-62DF-0D00-000000006F02}912C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:513a:aaff:ea8e:f17win-dc-ctus-attack-range-502.attackrange.local65089-truefe80:0:0:0:513a:aaff:ea8e:f17win-dc-ctus-attack-range-502.attackrange.local135epmap 354300x8000000000000000282098Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:48.500{F81F30E6-D98A-62DF-2A00-000000006F02}2640C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:513a:aaff:ea8e:f17win-dc-ctus-attack-range-502.attackrange.local65089-truefe80:0:0:0:513a:aaff:ea8e:f17win-dc-ctus-attack-range-502.attackrange.local135epmap 23542300x8000000000000000282097Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:51.338{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=831D31DFB881345C4D4093ED49B93A96,SHA256=B63C7264FC9FC98DA2408414A3FB87587AF95F28CEA3E25083EF6D7CDAEA35ED,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000282096Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:51.319{F81F30E6-D97A-62DF-0B00-000000006F02}6407868C:\Windows\system32\lsass.exe{F81F30E6-D98A-62DF-2A00-000000006F02}2640C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ee3c|C:\Windows\system32\lsasrv.dll+e76d4|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282095Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:51.319{F81F30E6-D97A-62DF-0B00-000000006F02}6407868C:\Windows\system32\lsass.exe{F81F30E6-D98A-62DF-2A00-000000006F02}2640C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ee3c|C:\Windows\system32\lsasrv.dll+e76d4|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282094Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:51.157{F81F30E6-D97A-62DF-0B00-000000006F02}6406704C:\Windows\system32\lsass.exe{F81F30E6-D98A-62DF-2A00-000000006F02}2640C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ee3c|C:\Windows\system32\lsasrv.dll+e76d4|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282093Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:51.157{F81F30E6-D97A-62DF-0B00-000000006F02}6406704C:\Windows\system32\lsass.exe{F81F30E6-D98A-62DF-2A00-000000006F02}2640C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ee3c|C:\Windows\system32\lsasrv.dll+e76d4|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282092Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:51.157{F81F30E6-D97A-62DF-0B00-000000006F02}6406704C:\Windows\system32\lsass.exe{F81F30E6-D98A-62DF-2A00-000000006F02}2640C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ee3c|C:\Windows\system32\lsasrv.dll+e76d4|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000054833Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:10:52.692{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D04B52BFA0C92E87B2FB16DC1A7E739A,SHA256=4723F2B3A04B21A33ECB92BCC96BCA975FEDD890DBB656407C9068009130322F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000282118Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:52.586{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D32824FE762E38F3A8C915F8D9CB4CD,SHA256=1C3A0EDD6A8CAD889B61CE27887806A3DA874B908E6134C29AA64F654E478153,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000282117Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:50.180{F81F30E6-D97A-62DF-0B00-000000006F02}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local65091-false10.0.1.14win-dc-ctus-attack-range-502.attackrange.local389ldap 354300x8000000000000000282116Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:50.180{F81F30E6-D98A-62DF-2A00-000000006F02}2640C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local65091-false10.0.1.14win-dc-ctus-attack-range-502.attackrange.local389ldap 354300x8000000000000000282115Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:49.351{F81F30E6-D98A-62DF-2D00-000000006F02}2676C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local63651- 354300x800000000000000054832Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:10:50.138{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal51133-false10.0.1.12-8000- 10341000x8000000000000000282114Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:52.171{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282113Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:52.171{F81F30E6-D9BD-62DF-9000-000000006F02}46887284C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282112Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:52.171{F81F30E6-D9BD-62DF-9000-000000006F02}46887284C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282111Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:52.171{F81F30E6-D9BD-62DF-9000-000000006F02}46887284C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282110Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:52.156{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282109Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:52.156{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282108Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:52.156{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282107Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:52.156{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000054834Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:10:53.785{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C460490F903096EF50967C60AC1592F,SHA256=2F42DB452EBE1D8ACD57269F4A6CC840C2F3C39679215D45A1369FDB44D4C446,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000282329Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:53.801{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7DE4E9149552EDEC1583C616D550EA26,SHA256=2D18BF11957EF2A855D0AD7192018475F9871423E97FC7BAABCAE5B4393884A1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000282328Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:53.538{F81F30E6-D9BD-62DF-9000-000000006F02}46887284C:\Windows\Explorer.EXE{F81F30E6-F5ED-62DF-9305-000000006F02}3084C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282327Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:53.538{F81F30E6-D9BD-62DF-9000-000000006F02}46887284C:\Windows\Explorer.EXE{F81F30E6-F5ED-62DF-9305-000000006F02}3084C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282326Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:53.538{F81F30E6-D9BD-62DF-9000-000000006F02}46887284C:\Windows\Explorer.EXE{F81F30E6-F5ED-62DF-9305-000000006F02}3084C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282325Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:53.517{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F5ED-62DF-9305-000000006F02}3084C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282324Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:53.501{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F5ED-62DF-9305-000000006F02}3084C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282323Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:53.501{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-F5ED-62DF-9305-000000006F02}3084C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282322Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:53.501{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F5ED-62DF-9305-000000006F02}3084C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282321Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:53.501{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F5ED-62DF-9305-000000006F02}3084C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282320Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:53.485{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F5ED-62DF-9305-000000006F02}3084C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282319Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:53.485{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F5ED-62DF-9305-000000006F02}3084C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282318Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:53.485{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F5ED-62DF-9305-000000006F02}3084C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282317Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:53.485{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F5ED-62DF-9305-000000006F02}3084C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282316Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:53.485{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F5ED-62DF-9305-000000006F02}3084C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282315Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:53.485{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F5ED-62DF-9305-000000006F02}3084C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282314Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:53.470{F81F30E6-D9BD-62DF-9000-000000006F02}46887284C:\Windows\Explorer.EXE{F81F30E6-F5ED-62DF-9205-000000006F02}10780C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282313Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:53.470{F81F30E6-D9BD-62DF-9000-000000006F02}46887284C:\Windows\Explorer.EXE{F81F30E6-F5ED-62DF-9205-000000006F02}10780C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282312Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:53.470{F81F30E6-D9BD-62DF-9000-000000006F02}46887284C:\Windows\Explorer.EXE{F81F30E6-F5ED-62DF-9205-000000006F02}10780C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282311Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:53.454{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F5ED-62DF-9205-000000006F02}10780C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000282310Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:53.454{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=630817F95D1B1D8C44E3BC62510DBBFC,SHA256=9608FA5FF8E126E8B04F1D761B03F7ECB6A0DA490853C0A8106A101582FAD780,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000282309Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:53.454{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F5ED-62DF-9205-000000006F02}10780C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282308Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:53.438{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-F5ED-62DF-9205-000000006F02}10780C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282307Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:53.438{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F5ED-62DF-9205-000000006F02}10780C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282306Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:53.438{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F5ED-62DF-9205-000000006F02}10780C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282305Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:53.438{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F5ED-62DF-9205-000000006F02}10780C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282304Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:53.438{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F5ED-62DF-9205-000000006F02}10780C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282303Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:53.435{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F5ED-62DF-9205-000000006F02}10780C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282302Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:53.435{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F5ED-62DF-9205-000000006F02}10780C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282301Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:53.434{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F5ED-62DF-9205-000000006F02}10780C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282300Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:53.434{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F5ED-62DF-9205-000000006F02}10780C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282299Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:53.417{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F5ED-62DF-9105-000000006F02}10592C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282298Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:53.417{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-F5ED-62DF-9305-000000006F02}3084C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282297Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:53.401{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F5ED-62DF-9105-000000006F02}10592C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282296Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:53.401{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-F5ED-62DF-9105-000000006F02}10592C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000282295Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:53.401{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F580A44DC6CB58788243B633E854FAB,SHA256=14A63E465C5C91215E43BAC5DAB13113C7977C1A9E658A0AD92DC4E88174BFF9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000282294Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:53.401{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F5ED-62DF-9105-000000006F02}10592C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282293Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:53.401{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F5ED-62DF-9105-000000006F02}10592C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282292Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:53.401{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F5ED-62DF-9105-000000006F02}10592C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282291Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:53.401{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F5ED-62DF-9105-000000006F02}10592C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282290Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:53.385{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F5ED-62DF-9105-000000006F02}10592C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282289Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:53.385{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F5ED-62DF-9105-000000006F02}10592C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282288Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:53.385{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F5ED-62DF-9105-000000006F02}10592C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282287Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:53.385{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F5ED-62DF-9105-000000006F02}10592C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282286Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:53.370{F81F30E6-D97C-62DF-1500-000000006F02}12281712C:\Windows\System32\svchost.exe{F81F30E6-F5ED-62DF-9305-000000006F02}3084C:\Windows\system32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282285Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:53.354{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F5ED-62DF-9305-000000006F02}3084C:\Windows\system32\notepad.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282284Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:53.354{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-F5ED-62DF-9205-000000006F02}10780C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282283Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:53.338{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282282Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:53.338{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282281Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:53.338{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282280Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:53.338{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282279Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:53.338{F81F30E6-D9BA-62DF-8100-000000006F02}38884056C:\Windows\system32\csrss.exe{F81F30E6-F5ED-62DF-9305-000000006F02}3084C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000282278Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:53.338{F81F30E6-F5ED-62DF-8F05-000000006F02}752010312C:\Windows\system32\cmd.exe{F81F30E6-F5ED-62DF-9305-000000006F02}3084C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8564|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000282277Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:53.349{F81F30E6-F5ED-62DF-9305-000000006F02}3084C:\Windows\System32\notepad.exe10.0.14393.4169 (rs1_release.210107-1130)NotepadMicrosoft® Windows® Operating SystemMicrosoft CorporationNOTEPAD.EXEnotepad.exe C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=BA78FCF8CA9D806C6C047357E31748DE,SHA256=34A07759492E31AEC2A009505FE8DFB50242375C4308AD4657B2872F4F75A077,IMPHASH=968239BE2020F1C0DAFFDCDBD49E9C82{F81F30E6-F5ED-62DF-8F05-000000006F02}7520C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" " 10341000x8000000000000000282276Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:53.338{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F5ED-62DF-9305-000000006F02}3084C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282275Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:53.335{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282274Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:53.332{F81F30E6-D9BD-62DF-9000-000000006F02}46887284C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282273Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:53.317{F81F30E6-D9BD-62DF-9000-000000006F02}46887284C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282272Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:53.317{F81F30E6-D9BD-62DF-9000-000000006F02}46887284C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282271Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:53.317{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F5ED-62DF-8E05-000000006F02}7928C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282270Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:53.317{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-F5ED-62DF-9105-000000006F02}10592C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282269Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:53.301{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282268Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:53.301{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F5ED-62DF-8E05-000000006F02}7928C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282267Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:53.301{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282266Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:53.301{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282265Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:53.301{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282264Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:53.301{F81F30E6-D97C-62DF-1500-000000006F02}12281712C:\Windows\System32\svchost.exe{F81F30E6-F5ED-62DF-9205-000000006F02}10780C:\Windows\system32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282263Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:53.301{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F5ED-62DF-9205-000000006F02}10780C:\Windows\system32\notepad.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282262Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:53.301{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-F5ED-62DF-8E05-000000006F02}7928C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282261Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:53.286{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F5ED-62DF-8E05-000000006F02}7928C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282260Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:53.286{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F5ED-62DF-8E05-000000006F02}7928C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282259Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:53.286{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F5ED-62DF-8E05-000000006F02}7928C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282258Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:53.286{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F5ED-62DF-8E05-000000006F02}7928C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282257Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:53.286{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F5ED-62DF-8E05-000000006F02}7928C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282256Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:53.286{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F5ED-62DF-8E05-000000006F02}7928C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282255Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:53.286{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F5ED-62DF-8E05-000000006F02}7928C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282254Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:53.286{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F5ED-62DF-8E05-000000006F02}7928C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282253Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:53.286{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F5ED-62DF-9005-000000006F02}10384C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282252Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:53.270{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F5ED-62DF-9005-000000006F02}10384C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282251Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:53.270{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282250Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:53.270{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282249Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:53.270{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282248Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:53.270{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282247Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:53.270{F81F30E6-D9BA-62DF-8100-000000006F02}38884516C:\Windows\system32\csrss.exe{F81F30E6-F5ED-62DF-9205-000000006F02}10780C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000282246Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:53.270{F81F30E6-F5ED-62DF-8C05-000000006F02}943611180C:\Windows\system32\cmd.exe{F81F30E6-F5ED-62DF-9205-000000006F02}10780C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8564|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000282245Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:53.280{F81F30E6-F5ED-62DF-9205-000000006F02}10780C:\Windows\System32\notepad.exe10.0.14393.4169 (rs1_release.210107-1130)NotepadMicrosoft® Windows® Operating SystemMicrosoft CorporationNOTEPAD.EXEnotepad.exe C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=BA78FCF8CA9D806C6C047357E31748DE,SHA256=34A07759492E31AEC2A009505FE8DFB50242375C4308AD4657B2872F4F75A077,IMPHASH=968239BE2020F1C0DAFFDCDBD49E9C82{F81F30E6-F5ED-62DF-8C05-000000006F02}9436C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" " 10341000x8000000000000000282244Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:53.270{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F5ED-62DF-9205-000000006F02}10780C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282243Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:53.254{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-F5ED-62DF-8F05-000000006F02}7520C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282242Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:53.254{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F5ED-62DF-8F05-000000006F02}7520C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282241Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:53.254{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F5ED-62DF-8F05-000000006F02}7520C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282240Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:53.254{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F5ED-62DF-8F05-000000006F02}7520C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282239Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:53.254{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F5ED-62DF-8F05-000000006F02}7520C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282238Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:53.254{F81F30E6-D97C-62DF-1500-000000006F02}12281712C:\Windows\System32\svchost.exe{F81F30E6-F5ED-62DF-9105-000000006F02}10592C:\Windows\system32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282237Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:53.254{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F5ED-62DF-9105-000000006F02}10592C:\Windows\system32\notepad.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282236Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:53.254{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F5ED-62DF-9005-000000006F02}10384C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282235Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:53.254{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F5ED-62DF-9005-000000006F02}10384C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282234Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:53.254{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F5ED-62DF-9005-000000006F02}10384C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282233Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:53.254{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F5ED-62DF-9005-000000006F02}10384C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282232Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:53.239{F81F30E6-D9BD-62DF-9000-000000006F02}46887284C:\Windows\Explorer.EXE{F81F30E6-F5ED-62DF-8C05-000000006F02}9436C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282231Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:53.239{F81F30E6-D9BD-62DF-9000-000000006F02}46887284C:\Windows\Explorer.EXE{F81F30E6-F5ED-62DF-8C05-000000006F02}9436C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282230Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:53.239{F81F30E6-D9BD-62DF-9000-000000006F02}46887284C:\Windows\Explorer.EXE{F81F30E6-F5ED-62DF-8C05-000000006F02}9436C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282229Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:53.239{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F5ED-62DF-8D05-000000006F02}8032C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282228Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:53.239{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282227Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:53.239{F81F30E6-D9BA-62DF-8100-000000006F02}38884056C:\Windows\system32\csrss.exe{F81F30E6-F5ED-62DF-9105-000000006F02}10592C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000282226Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:53.239{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282225Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:53.239{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282224Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:53.238{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282223Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:53.238{F81F30E6-F5ED-62DF-8A05-000000006F02}87608852C:\Windows\system32\cmd.exe{F81F30E6-F5ED-62DF-9105-000000006F02}10592C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8564|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000282222Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:53.238{F81F30E6-F5ED-62DF-9105-000000006F02}10592C:\Windows\System32\notepad.exe10.0.14393.4169 (rs1_release.210107-1130)NotepadMicrosoft® Windows® Operating SystemMicrosoft CorporationNOTEPAD.EXEnotepad.exe C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=BA78FCF8CA9D806C6C047357E31748DE,SHA256=34A07759492E31AEC2A009505FE8DFB50242375C4308AD4657B2872F4F75A077,IMPHASH=968239BE2020F1C0DAFFDCDBD49E9C82{F81F30E6-F5ED-62DF-8A05-000000006F02}8760C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" " 10341000x8000000000000000282221Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:53.238{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F5ED-62DF-9105-000000006F02}10592C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282220Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:53.236{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-F5ED-62DF-8E05-000000006F02}7928C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282219Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:53.234{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F5ED-62DF-8D05-000000006F02}8032C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282218Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:53.217{F81F30E6-D97C-62DF-1500-000000006F02}12281712C:\Windows\System32\svchost.exe{F81F30E6-F5ED-62DF-9005-000000006F02}10384C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282217Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:53.217{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F5ED-62DF-9005-000000006F02}10384C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282216Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:53.217{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-F5ED-62DF-8C05-000000006F02}9436C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282215Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:53.217{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F5ED-62DF-8C05-000000006F02}9436C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282214Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:53.217{F81F30E6-F5ED-62DF-9005-000000006F02}103849260C:\Windows\system32\conhost.exe{F81F30E6-F5ED-62DF-8F05-000000006F02}7520C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282213Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:53.217{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F5ED-62DF-8C05-000000006F02}9436C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282212Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:53.217{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F5ED-62DF-8C05-000000006F02}9436C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282211Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:53.217{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F5ED-62DF-8C05-000000006F02}9436C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282210Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:53.201{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F5ED-62DF-8D05-000000006F02}8032C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282209Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:53.201{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F5ED-62DF-8D05-000000006F02}8032C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282208Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:53.201{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F5ED-62DF-8D05-000000006F02}8032C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282207Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:53.201{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F5ED-62DF-8D05-000000006F02}8032C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282206Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:53.201{F81F30E6-D9BA-62DF-8100-000000006F02}38882172C:\Windows\system32\csrss.exe{F81F30E6-F5ED-62DF-9005-000000006F02}10384C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000282205Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:53.201{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F5ED-62DF-9005-000000006F02}10384C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282204Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:53.201{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282203Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:53.201{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282202Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:53.201{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282201Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:53.201{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282200Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:53.201{F81F30E6-D9BD-62DF-9000-000000006F02}46887284C:\Windows\Explorer.EXE{F81F30E6-F5ED-62DF-8A05-000000006F02}8760C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282199Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:53.201{F81F30E6-D9BA-62DF-8100-000000006F02}38884056C:\Windows\system32\csrss.exe{F81F30E6-F5ED-62DF-8F05-000000006F02}7520C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000282198Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:53.201{F81F30E6-F163-62DF-1F04-000000006F02}22649812C:\Temp\dcrat.exe{F81F30E6-F5ED-62DF-8F05-000000006F02}7520C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\System32\windows.storage.dll+16e7eb|C:\Windows\System32\windows.storage.dll+16e501|C:\Windows\System32\windows.storage.dll+16e14e|C:\Windows\System32\windows.storage.dll+16f3f0|C:\Windows\System32\windows.storage.dll+16de9e|C:\Windows\System32\windows.storage.dll+fce6d|C:\Windows\System32\windows.storage.dll+fd5ac|C:\Windows\System32\windows.storage.dll+fc910|C:\Windows\System32\shell32.dll+49cdf|C:\Windows\System32\shell32.dll+49b6c|C:\Windows\System32\shell32.dll+498bc|C:\Windows\System32\shell32.dll+10d2c7|C:\Windows\System32\shell32.dll+10d225|UNKNOWN(00007FF984B29B5F) 10341000x8000000000000000282197Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:53.201{F81F30E6-D9BD-62DF-9000-000000006F02}46887284C:\Windows\Explorer.EXE{F81F30E6-F5ED-62DF-8A05-000000006F02}8760C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282196Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:53.201{F81F30E6-D9BD-62DF-9000-000000006F02}46887284C:\Windows\Explorer.EXE{F81F30E6-F5ED-62DF-8A05-000000006F02}8760C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000282195Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:53.202{F81F30E6-F5ED-62DF-8F05-000000006F02}7520C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" "C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe"C:\Temp\dcrat.exe" 10341000x8000000000000000282194Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:53.201{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F5ED-62DF-8F05-000000006F02}7520C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282193Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:53.186{F81F30E6-D97C-62DF-1500-000000006F02}12281712C:\Windows\System32\svchost.exe{F81F30E6-F5ED-62DF-8E05-000000006F02}7928C:\Windows\system32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282192Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:53.186{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F5ED-62DF-8E05-000000006F02}7928C:\Windows\system32\notepad.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282191Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:53.186{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F5ED-62DF-8B05-000000006F02}8944C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282190Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:53.186{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F5ED-62DF-8B05-000000006F02}8944C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282189Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:53.170{F81F30E6-D97C-62DF-1500-000000006F02}12281712C:\Windows\System32\svchost.exe{F81F30E6-F5ED-62DF-8D05-000000006F02}8032C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282188Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:53.170{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F5ED-62DF-8A05-000000006F02}8760C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282187Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:53.170{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F5ED-62DF-8D05-000000006F02}8032C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282186Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:53.170{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F5ED-62DF-8A05-000000006F02}8760C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282185Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:53.170{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F5ED-62DF-8A05-000000006F02}8760C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282184Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:53.170{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-F5ED-62DF-8A05-000000006F02}8760C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282183Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:53.170{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F5ED-62DF-8A05-000000006F02}8760C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282182Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:53.170{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F5ED-62DF-8B05-000000006F02}8944C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282181Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:53.170{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F5ED-62DF-8B05-000000006F02}8944C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282180Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:53.170{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F5ED-62DF-8B05-000000006F02}8944C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282179Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:53.170{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F5ED-62DF-8B05-000000006F02}8944C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282178Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:53.170{F81F30E6-F5ED-62DF-8D05-000000006F02}803210736C:\Windows\system32\conhost.exe{F81F30E6-F5ED-62DF-8C05-000000006F02}9436C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282177Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:53.158{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282176Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:53.158{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282175Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:53.158{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282174Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:53.158{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282173Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:53.158{F81F30E6-D9BA-62DF-8100-000000006F02}38884516C:\Windows\system32\csrss.exe{F81F30E6-F5ED-62DF-8E05-000000006F02}7928C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000282172Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:53.139{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F5ED-62DF-8E05-000000006F02}7928C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282171Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:53.139{F81F30E6-F5ED-62DF-8805-000000006F02}1066011120C:\Windows\system32\cmd.exe{F81F30E6-F5ED-62DF-8E05-000000006F02}7928C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8564|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000282170Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:53.158{F81F30E6-F5ED-62DF-8E05-000000006F02}7928C:\Windows\System32\notepad.exe10.0.14393.4169 (rs1_release.210107-1130)NotepadMicrosoft® Windows® Operating SystemMicrosoft CorporationNOTEPAD.EXEnotepad.exe C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=BA78FCF8CA9D806C6C047357E31748DE,SHA256=34A07759492E31AEC2A009505FE8DFB50242375C4308AD4657B2872F4F75A077,IMPHASH=968239BE2020F1C0DAFFDCDBD49E9C82{F81F30E6-F5ED-62DF-8805-000000006F02}10660C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" " 10341000x8000000000000000282169Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:53.139{F81F30E6-D9BA-62DF-8100-000000006F02}38884056C:\Windows\system32\csrss.exe{F81F30E6-F5ED-62DF-8D05-000000006F02}8032C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000282168Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:53.139{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F5ED-62DF-8D05-000000006F02}8032C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282167Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:53.134{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282166Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:53.134{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282165Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:53.134{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282164Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:53.133{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282163Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:53.133{F81F30E6-D9BA-62DF-8100-000000006F02}38884056C:\Windows\system32\csrss.exe{F81F30E6-F5ED-62DF-8C05-000000006F02}9436C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000282162Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:53.133{F81F30E6-F163-62DF-1F04-000000006F02}22648728C:\Temp\dcrat.exe{F81F30E6-F5ED-62DF-8C05-000000006F02}9436C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\System32\windows.storage.dll+16e7eb|C:\Windows\System32\windows.storage.dll+16e501|C:\Windows\System32\windows.storage.dll+16e14e|C:\Windows\System32\windows.storage.dll+16f3f0|C:\Windows\System32\windows.storage.dll+16de9e|C:\Windows\System32\windows.storage.dll+fce6d|C:\Windows\System32\windows.storage.dll+fd5ac|C:\Windows\System32\windows.storage.dll+fc910|C:\Windows\System32\shell32.dll+49cdf|C:\Windows\System32\shell32.dll+49b6c|C:\Windows\System32\shell32.dll+498bc|C:\Windows\System32\shell32.dll+10d2c7|C:\Windows\System32\shell32.dll+10d225|UNKNOWN(00007FF984B29B5F) 154100x8000000000000000282161Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:53.132{F81F30E6-F5ED-62DF-8C05-000000006F02}9436C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" "C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe"C:\Temp\dcrat.exe" 10341000x8000000000000000282160Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:53.117{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F5ED-62DF-8C05-000000006F02}9436C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282159Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:53.101{F81F30E6-D97C-62DF-1500-000000006F02}12281712C:\Windows\System32\svchost.exe{F81F30E6-F5ED-62DF-8B05-000000006F02}8944C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282158Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:53.101{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F5ED-62DF-8B05-000000006F02}8944C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282157Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:53.086{F81F30E6-D9BD-62DF-9000-000000006F02}46887284C:\Windows\Explorer.EXE{F81F30E6-F5ED-62DF-8805-000000006F02}10660C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282156Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:53.086{F81F30E6-D9BD-62DF-9000-000000006F02}46887284C:\Windows\Explorer.EXE{F81F30E6-F5ED-62DF-8805-000000006F02}10660C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282155Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:53.086{F81F30E6-D9BD-62DF-9000-000000006F02}46887284C:\Windows\Explorer.EXE{F81F30E6-F5ED-62DF-8805-000000006F02}10660C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282154Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:53.086{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F5ED-62DF-8905-000000006F02}11128C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282153Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:53.086{F81F30E6-D97C-62DF-1600-000000006F02}13127632C:\Windows\System32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\cryptsvc.dll+6124|c:\windows\system32\cryptsvc.dll+5e34|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282152Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:53.086{F81F30E6-F5ED-62DF-8B05-000000006F02}89449292C:\Windows\system32\conhost.exe{F81F30E6-F5ED-62DF-8A05-000000006F02}8760C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282151Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:53.086{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F5ED-62DF-8905-000000006F02}11128C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282150Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:53.070{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-F5ED-62DF-8805-000000006F02}10660C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282149Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:53.070{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F5ED-62DF-8805-000000006F02}10660C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282148Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:53.070{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F5ED-62DF-8805-000000006F02}10660C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282147Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:53.070{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F5ED-62DF-8805-000000006F02}10660C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282146Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:53.070{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F5ED-62DF-8805-000000006F02}10660C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282145Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:53.070{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F5ED-62DF-8905-000000006F02}11128C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282144Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:53.070{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F5ED-62DF-8905-000000006F02}11128C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282143Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:53.070{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F5ED-62DF-8905-000000006F02}11128C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282142Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:53.070{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F5ED-62DF-8905-000000006F02}11128C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282141Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:53.070{F81F30E6-D9BA-62DF-8100-000000006F02}38884516C:\Windows\system32\csrss.exe{F81F30E6-F5ED-62DF-8B05-000000006F02}8944C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000282140Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:53.070{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F5ED-62DF-8B05-000000006F02}8944C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282139Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:53.054{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282138Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:53.054{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282137Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:53.054{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282136Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:53.054{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282135Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:53.054{F81F30E6-D9BA-62DF-8100-000000006F02}38884056C:\Windows\system32\csrss.exe{F81F30E6-F5ED-62DF-8A05-000000006F02}8760C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000282134Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:53.054{F81F30E6-F163-62DF-1F04-000000006F02}22648212C:\Temp\dcrat.exe{F81F30E6-F5ED-62DF-8A05-000000006F02}8760C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\System32\windows.storage.dll+16e7eb|C:\Windows\System32\windows.storage.dll+16e501|C:\Windows\System32\windows.storage.dll+16e14e|C:\Windows\System32\windows.storage.dll+16f3f0|C:\Windows\System32\windows.storage.dll+16de9e|C:\Windows\System32\windows.storage.dll+fce6d|C:\Windows\System32\windows.storage.dll+fd5ac|C:\Windows\System32\windows.storage.dll+fc910|C:\Windows\System32\shell32.dll+49cdf|C:\Windows\System32\shell32.dll+49b6c|C:\Windows\System32\shell32.dll+498bc|C:\Windows\System32\shell32.dll+10d2c7|C:\Windows\System32\shell32.dll+10d225|UNKNOWN(00007FF984B29B5F) 154100x8000000000000000282133Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:53.064{F81F30E6-F5ED-62DF-8A05-000000006F02}8760C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" "C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe"C:\Temp\dcrat.exe" 10341000x8000000000000000282132Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:53.054{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F5ED-62DF-8A05-000000006F02}8760C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282131Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:53.054{F81F30E6-D97C-62DF-1500-000000006F02}12281712C:\Windows\System32\svchost.exe{F81F30E6-F5ED-62DF-8905-000000006F02}11128C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282130Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:53.054{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F5ED-62DF-8905-000000006F02}11128C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282129Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:53.039{F81F30E6-F5ED-62DF-8905-000000006F02}111288560C:\Windows\system32\conhost.exe{F81F30E6-F5ED-62DF-8805-000000006F02}10660C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282128Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:53.039{F81F30E6-D9BA-62DF-8100-000000006F02}38882172C:\Windows\system32\csrss.exe{F81F30E6-F5ED-62DF-8905-000000006F02}11128C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000282127Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:53.039{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F5ED-62DF-8905-000000006F02}11128C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282126Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:53.038{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282125Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:53.038{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282124Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:53.038{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282123Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:53.038{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282122Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:53.038{F81F30E6-D9BA-62DF-8100-000000006F02}38884516C:\Windows\system32\csrss.exe{F81F30E6-F5ED-62DF-8805-000000006F02}10660C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000282121Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:53.038{F81F30E6-F163-62DF-1F04-000000006F02}226411144C:\Temp\dcrat.exe{F81F30E6-F5ED-62DF-8805-000000006F02}10660C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\System32\windows.storage.dll+16e7eb|C:\Windows\System32\windows.storage.dll+16e501|C:\Windows\System32\windows.storage.dll+16e14e|C:\Windows\System32\windows.storage.dll+16f3f0|C:\Windows\System32\windows.storage.dll+16de9e|C:\Windows\System32\windows.storage.dll+fce6d|C:\Windows\System32\windows.storage.dll+fd5ac|C:\Windows\System32\windows.storage.dll+fc910|C:\Windows\System32\shell32.dll+49cdf|C:\Windows\System32\shell32.dll+49b6c|C:\Windows\System32\shell32.dll+498bc|C:\Windows\System32\shell32.dll+10d2c7|C:\Windows\System32\shell32.dll+10d225|UNKNOWN(00007FF984B29B5F) 154100x8000000000000000282120Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:53.037{F81F30E6-F5ED-62DF-8805-000000006F02}10660C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" "C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe"C:\Temp\dcrat.exe" 10341000x8000000000000000282119Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:53.037{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F5ED-62DF-8805-000000006F02}10660C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000054835Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:10:54.879{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45826A357CC5C2A5385CB0CC634AC258,SHA256=9D54B25BF32124AC6ABC4088E1F1683862B33B3178F6ED769833EDF34475443E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000282339Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:54.935{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=799F76C9F0E812289A7977CC38E3DEE5,SHA256=2C1E1F1C4416F8BF7BDFC2AB67E764115B4DF9FC9C1B319E3C2BF475F9F87ECA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000282338Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:54.800{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282337Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:54.800{F81F30E6-D9BD-62DF-9000-000000006F02}46887284C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282336Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:54.800{F81F30E6-D9BD-62DF-9000-000000006F02}46887284C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282335Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:54.800{F81F30E6-D9BD-62DF-9000-000000006F02}46887284C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282334Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:54.800{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282333Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:54.800{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282332Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:54.800{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282331Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:54.800{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000282330Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:51.241{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local65092-false10.0.1.12-8000- 23542300x800000000000000054836Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:10:55.973{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6EAAFFFFFB7C7736CE0462A4EB4B612,SHA256=5916D2F21F288A7D520D2E0781B8FE74823993432231FF38702D0382B53BE8FB,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000054837Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:10:55.263{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal51134-false10.0.1.12-8000- 23542300x8000000000000000282340Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:56.053{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9E9F11F21FD0CCD7C3D63A3A90B7DA4,SHA256=0C6AC0DD4FC1EAA3D4223DFC9CF640D807441EC755BF68FD7D77E823AD4C7B51,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054838Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:10:57.067{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC035C59699E729471AEC95892DE8E91,SHA256=AF3E4DAFE70475EB068280FF2AC379C3A7998B52601205A8843ED089E566A77B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000282634Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:57.967{F81F30E6-D97C-62DF-1500-000000006F02}12281712C:\Windows\System32\svchost.exe{F81F30E6-F5F1-62DF-AC05-000000006F02}8484C:\Windows\system32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282633Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:57.967{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F5F1-62DF-AC05-000000006F02}8484C:\Windows\system32\notepad.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282632Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:57.967{F81F30E6-F5F1-62DF-AE05-000000006F02}103288584C:\Windows\system32\conhost.exe{F81F30E6-F5F1-62DF-AD05-000000006F02}2400C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282631Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:57.967{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F5F1-62DF-A305-000000006F02}7348C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282630Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:57.935{F81F30E6-D9BA-62DF-8100-000000006F02}38884056C:\Windows\system32\csrss.exe{F81F30E6-F5F1-62DF-AE05-000000006F02}10328C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000282629Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:57.935{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F5F1-62DF-AE05-000000006F02}10328C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282628Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:57.933{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282627Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:57.933{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282626Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:57.932{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282625Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:57.932{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282624Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:57.931{F81F30E6-D9BA-62DF-8100-000000006F02}38884516C:\Windows\system32\csrss.exe{F81F30E6-F5F1-62DF-AD05-000000006F02}2400C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000282623Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:57.931{F81F30E6-F163-62DF-1F04-000000006F02}226410024C:\Temp\dcrat.exe{F81F30E6-F5F1-62DF-AD05-000000006F02}2400C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\System32\windows.storage.dll+16e7eb|C:\Windows\System32\windows.storage.dll+16e501|C:\Windows\System32\windows.storage.dll+16e14e|C:\Windows\System32\windows.storage.dll+16f3f0|C:\Windows\System32\windows.storage.dll+16de9e|C:\Windows\System32\windows.storage.dll+fce6d|C:\Windows\System32\windows.storage.dll+fd5ac|C:\Windows\System32\windows.storage.dll+fc910|C:\Windows\System32\shell32.dll+49cdf|C:\Windows\System32\shell32.dll+49b6c|C:\Windows\System32\shell32.dll+498bc|C:\Windows\System32\shell32.dll+10d2c7|C:\Windows\System32\shell32.dll+10d225|UNKNOWN(00007FF984B29B5F) 154100x8000000000000000282622Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:57.931{F81F30E6-F5F1-62DF-AD05-000000006F02}2400C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" "C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe"C:\Temp\dcrat.exe" 10341000x8000000000000000282621Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:57.931{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F5F1-62DF-AD05-000000006F02}2400C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282620Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:57.914{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F5F1-62DF-A605-000000006F02}9608C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282619Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:57.914{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F5F1-62DF-A605-000000006F02}9608C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282618Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:57.914{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F5F1-62DF-A605-000000006F02}9608C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282617Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:57.914{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F5F1-62DF-A605-000000006F02}9608C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282616Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:57.914{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282615Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:57.914{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282614Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:57.914{F81F30E6-D9BA-62DF-8100-000000006F02}38882172C:\Windows\system32\csrss.exe{F81F30E6-F5F1-62DF-AC05-000000006F02}8484C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000282613Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:57.914{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282612Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:57.914{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282611Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:57.914{F81F30E6-F5F1-62DF-9D05-000000006F02}73205116C:\Windows\system32\cmd.exe{F81F30E6-F5F1-62DF-AC05-000000006F02}8484C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8564|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000282610Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:57.926{F81F30E6-F5F1-62DF-AC05-000000006F02}8484C:\Windows\System32\notepad.exe10.0.14393.4169 (rs1_release.210107-1130)NotepadMicrosoft® Windows® Operating SystemMicrosoft CorporationNOTEPAD.EXEnotepad.exe C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=BA78FCF8CA9D806C6C047357E31748DE,SHA256=34A07759492E31AEC2A009505FE8DFB50242375C4308AD4657B2872F4F75A077,IMPHASH=968239BE2020F1C0DAFFDCDBD49E9C82{F81F30E6-F5F1-62DF-9D05-000000006F02}7320C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" " 10341000x8000000000000000282609Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:57.914{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F5F1-62DF-AC05-000000006F02}8484C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282608Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:57.914{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F5F1-62DF-A305-000000006F02}7348C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282607Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:57.914{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-F5F1-62DF-A405-000000006F02}3440C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282606Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:57.914{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F5F1-62DF-A205-000000006F02}10436C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282605Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:57.914{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F5F1-62DF-A205-000000006F02}10436C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282604Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:57.914{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F5F1-62DF-A205-000000006F02}10436C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282603Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:57.914{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F5F1-62DF-A205-000000006F02}10436C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000282602Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:57.898{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22C149EC99CD490E0C153252D2172B36,SHA256=CE0698803ED89013AAC0281BD9EE9318B955AE201165A6B81DD8D40299F1F244,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000282601Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:57.898{F81F30E6-D97C-62DF-1500-000000006F02}12281712C:\Windows\System32\svchost.exe{F81F30E6-F5F1-62DF-AB05-000000006F02}11244C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282600Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:57.898{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F5F1-62DF-AB05-000000006F02}11244C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282599Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:57.883{F81F30E6-F5F1-62DF-AB05-000000006F02}112449560C:\Windows\system32\conhost.exe{F81F30E6-F5F1-62DF-AA05-000000006F02}1356C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282598Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:57.867{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F5F1-62DF-9A05-000000006F02}9028C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282597Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:57.851{F81F30E6-D9BA-62DF-8100-000000006F02}38884516C:\Windows\system32\csrss.exe{F81F30E6-F5F1-62DF-AB05-000000006F02}11244C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000282596Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:57.851{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F5F1-62DF-AB05-000000006F02}11244C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282595Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:57.851{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282594Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:57.851{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282593Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:57.851{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282592Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:57.851{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282591Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:57.851{F81F30E6-D9BA-62DF-8100-000000006F02}38882172C:\Windows\system32\csrss.exe{F81F30E6-F5F1-62DF-AA05-000000006F02}1356C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000282590Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:57.851{F81F30E6-F163-62DF-1F04-000000006F02}22647740C:\Temp\dcrat.exe{F81F30E6-F5F1-62DF-AA05-000000006F02}1356C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\System32\windows.storage.dll+16e7eb|C:\Windows\System32\windows.storage.dll+16e501|C:\Windows\System32\windows.storage.dll+16e14e|C:\Windows\System32\windows.storage.dll+16f3f0|C:\Windows\System32\windows.storage.dll+16de9e|C:\Windows\System32\windows.storage.dll+fce6d|C:\Windows\System32\windows.storage.dll+fd5ac|C:\Windows\System32\windows.storage.dll+fc910|C:\Windows\System32\shell32.dll+49cdf|C:\Windows\System32\shell32.dll+49b6c|C:\Windows\System32\shell32.dll+498bc|C:\Windows\System32\shell32.dll+10d2c7|C:\Windows\System32\shell32.dll+10d225|UNKNOWN(00007FF984B29B5F) 10341000x8000000000000000282589Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:57.851{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F5F1-62DF-AA05-000000006F02}1356C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000282588Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:57.857{F81F30E6-F5F1-62DF-AA05-000000006F02}1356C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" "C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe"C:\Temp\dcrat.exe" 10341000x8000000000000000282587Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:57.851{F81F30E6-D97C-62DF-1500-000000006F02}12281712C:\Windows\System32\svchost.exe{F81F30E6-F5F1-62DF-A905-000000006F02}9956C:\Windows\system32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282586Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:57.851{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F5F1-62DF-A905-000000006F02}9956C:\Windows\system32\notepad.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282585Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:57.836{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F5F1-62DF-A305-000000006F02}7348C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282584Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:57.836{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F5F1-62DF-A305-000000006F02}7348C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282583Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:57.836{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F5F1-62DF-A105-000000006F02}5440C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282582Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:57.836{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F5F1-62DF-A305-000000006F02}7348C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282581Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:57.836{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F5F1-62DF-A305-000000006F02}7348C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282580Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:57.836{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F5F1-62DF-9A05-000000006F02}9028C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282579Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:57.836{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F5F1-62DF-9A05-000000006F02}9028C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282578Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:57.836{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F5F1-62DF-9A05-000000006F02}9028C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282577Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:57.836{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F5F1-62DF-9A05-000000006F02}9028C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282576Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:57.834{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F5F1-62DF-9A05-000000006F02}9028C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282575Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:57.830{F81F30E6-D97C-62DF-1500-000000006F02}12281712C:\Windows\System32\svchost.exe{F81F30E6-F5F1-62DF-A805-000000006F02}9772C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282574Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:57.830{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F5F1-62DF-A805-000000006F02}9772C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282573Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:57.813{F81F30E6-F5F1-62DF-A805-000000006F02}97728044C:\Windows\system32\conhost.exe{F81F30E6-F5F1-62DF-A705-000000006F02}9892C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282572Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:57.813{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282571Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:57.813{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282570Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:57.813{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282569Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:57.813{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282568Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:57.813{F81F30E6-D9BA-62DF-8100-000000006F02}38884516C:\Windows\system32\csrss.exe{F81F30E6-F5F1-62DF-A905-000000006F02}9956C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000282567Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:57.813{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F5F1-62DF-A105-000000006F02}5440C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282566Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:57.813{F81F30E6-F5F1-62DF-9B05-000000006F02}907611212C:\Windows\system32\cmd.exe{F81F30E6-F5F1-62DF-A905-000000006F02}9956C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8564|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000282565Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:57.818{F81F30E6-F5F1-62DF-A905-000000006F02}9956C:\Windows\System32\notepad.exe10.0.14393.4169 (rs1_release.210107-1130)NotepadMicrosoft® Windows® Operating SystemMicrosoft CorporationNOTEPAD.EXEnotepad.exe C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=BA78FCF8CA9D806C6C047357E31748DE,SHA256=34A07759492E31AEC2A009505FE8DFB50242375C4308AD4657B2872F4F75A077,IMPHASH=968239BE2020F1C0DAFFDCDBD49E9C82{F81F30E6-F5F1-62DF-9B05-000000006F02}9076C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" " 10341000x8000000000000000282564Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:57.813{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F5F1-62DF-A905-000000006F02}9956C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282563Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:57.798{F81F30E6-D9BA-62DF-8100-000000006F02}38884516C:\Windows\system32\csrss.exe{F81F30E6-F5F1-62DF-A805-000000006F02}9772C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000282562Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:57.798{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F5F1-62DF-A805-000000006F02}9772C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282561Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:57.798{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282560Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:57.798{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282559Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:57.798{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282558Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:57.798{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282557Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:57.798{F81F30E6-D9BA-62DF-8100-000000006F02}38884516C:\Windows\system32\csrss.exe{F81F30E6-F5F1-62DF-A705-000000006F02}9892C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000282556Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:57.798{F81F30E6-F163-62DF-1F04-000000006F02}22649648C:\Temp\dcrat.exe{F81F30E6-F5F1-62DF-A705-000000006F02}9892C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\System32\windows.storage.dll+16e7eb|C:\Windows\System32\windows.storage.dll+16e501|C:\Windows\System32\windows.storage.dll+16e14e|C:\Windows\System32\windows.storage.dll+16f3f0|C:\Windows\System32\windows.storage.dll+16de9e|C:\Windows\System32\windows.storage.dll+fce6d|C:\Windows\System32\windows.storage.dll+fd5ac|C:\Windows\System32\windows.storage.dll+fc910|C:\Windows\System32\shell32.dll+49cdf|C:\Windows\System32\shell32.dll+49b6c|C:\Windows\System32\shell32.dll+498bc|C:\Windows\System32\shell32.dll+10d2c7|C:\Windows\System32\shell32.dll+10d225|UNKNOWN(00007FF984B29B5F) 154100x8000000000000000282555Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:57.801{F81F30E6-F5F1-62DF-A705-000000006F02}9892C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" "C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe"C:\Temp\dcrat.exe" 10341000x8000000000000000282554Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:57.798{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F5F1-62DF-A705-000000006F02}9892C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282553Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:57.782{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-F5F1-62DF-A005-000000006F02}9240C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282552Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:57.782{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F5F1-62DF-9A05-000000006F02}9028C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282551Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:57.782{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F5F1-62DF-9A05-000000006F02}9028C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282550Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:57.782{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F5F1-62DF-9A05-000000006F02}9028C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282549Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:57.782{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F5F1-62DF-9A05-000000006F02}9028C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282548Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:57.782{F81F30E6-D97C-62DF-1500-000000006F02}12281712C:\Windows\System32\svchost.exe{F81F30E6-F5F1-62DF-A605-000000006F02}9608C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282547Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:57.782{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F5F1-62DF-A605-000000006F02}9608C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282546Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:57.767{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F5F1-62DF-A005-000000006F02}9240C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282545Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:57.767{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F5F1-62DF-A005-000000006F02}9240C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282544Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:57.767{F81F30E6-F5F1-62DF-A605-000000006F02}96089824C:\Windows\system32\conhost.exe{F81F30E6-F5F1-62DF-A505-000000006F02}9528C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282543Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:57.767{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F5F1-62DF-A005-000000006F02}9240C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282542Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:57.767{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F5F1-62DF-9E05-000000006F02}9404C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282541Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:57.767{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F5F1-62DF-A005-000000006F02}9240C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282540Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:57.767{F81F30E6-D97C-62DF-1500-000000006F02}12281712C:\Windows\System32\svchost.exe{F81F30E6-F5F1-62DF-A405-000000006F02}3440C:\Windows\system32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282539Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:57.767{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F5F1-62DF-A405-000000006F02}3440C:\Windows\system32\notepad.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000282538Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:57.767{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37F29682125920A8330188C94A4DB0AA,SHA256=6ACF2E80C1DA4579972E9DA9CFD7669FE40871FA60F3707F151A1FBB287B5AF9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000282537Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:57.767{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F5F1-62DF-A105-000000006F02}5440C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282536Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:57.767{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F5F1-62DF-A105-000000006F02}5440C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282535Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:57.767{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F5F1-62DF-A105-000000006F02}5440C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282534Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:57.751{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F5F1-62DF-A105-000000006F02}5440C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282533Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:57.751{F81F30E6-D9BA-62DF-8100-000000006F02}38884516C:\Windows\system32\csrss.exe{F81F30E6-F5F1-62DF-A605-000000006F02}9608C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000282532Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:57.751{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F5F1-62DF-A605-000000006F02}9608C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282531Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:57.751{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F5F1-62DF-9E05-000000006F02}9404C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282530Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:57.751{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282529Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:57.751{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282528Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:57.751{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282527Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:57.751{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282526Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:57.751{F81F30E6-D9BA-62DF-8100-000000006F02}38884056C:\Windows\system32\csrss.exe{F81F30E6-F5F1-62DF-A505-000000006F02}9528C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000282525Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:57.751{F81F30E6-F163-62DF-1F04-000000006F02}22644088C:\Temp\dcrat.exe{F81F30E6-F5F1-62DF-A505-000000006F02}9528C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\System32\windows.storage.dll+16e7eb|C:\Windows\System32\windows.storage.dll+16e501|C:\Windows\System32\windows.storage.dll+16e14e|C:\Windows\System32\windows.storage.dll+16f3f0|C:\Windows\System32\windows.storage.dll+16de9e|C:\Windows\System32\windows.storage.dll+fce6d|C:\Windows\System32\windows.storage.dll+fd5ac|C:\Windows\System32\windows.storage.dll+fc910|C:\Windows\System32\shell32.dll+49cdf|C:\Windows\System32\shell32.dll+49b6c|C:\Windows\System32\shell32.dll+498bc|C:\Windows\System32\shell32.dll+10d2c7|C:\Windows\System32\shell32.dll+10d225|UNKNOWN(00007FF984B29B5F) 154100x8000000000000000282524Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:57.752{F81F30E6-F5F1-62DF-A505-000000006F02}9528C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" "C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe"C:\Temp\dcrat.exe" 10341000x8000000000000000282523Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:57.751{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F5F1-62DF-A505-000000006F02}9528C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282522Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:57.735{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-F5F1-62DF-9F05-000000006F02}11228C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282521Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:57.731{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282520Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:57.730{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282519Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:57.730{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282518Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:57.730{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282517Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:57.730{F81F30E6-D9BA-62DF-8100-000000006F02}38884056C:\Windows\system32\csrss.exe{F81F30E6-F5F1-62DF-A405-000000006F02}3440C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000282516Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:57.714{F81F30E6-F5F1-62DF-9805-000000006F02}1123211224C:\Windows\system32\cmd.exe{F81F30E6-F5F1-62DF-A405-000000006F02}3440C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8564|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000282515Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:57.729{F81F30E6-F5F1-62DF-A405-000000006F02}3440C:\Windows\System32\notepad.exe10.0.14393.4169 (rs1_release.210107-1130)NotepadMicrosoft® Windows® Operating SystemMicrosoft CorporationNOTEPAD.EXEnotepad.exe C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=BA78FCF8CA9D806C6C047357E31748DE,SHA256=34A07759492E31AEC2A009505FE8DFB50242375C4308AD4657B2872F4F75A077,IMPHASH=968239BE2020F1C0DAFFDCDBD49E9C82{F81F30E6-F5F1-62DF-9805-000000006F02}11232C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" " 10341000x8000000000000000282514Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:57.714{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F5F1-62DF-A405-000000006F02}3440C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282513Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:57.714{F81F30E6-D97C-62DF-1500-000000006F02}12281712C:\Windows\System32\svchost.exe{F81F30E6-F5F1-62DF-A305-000000006F02}7348C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282512Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:57.714{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F5F1-62DF-A305-000000006F02}7348C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282511Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:57.714{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-F5F1-62DF-9D05-000000006F02}7320C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282510Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:57.714{F81F30E6-F5F1-62DF-A305-000000006F02}73484588C:\Windows\system32\conhost.exe{F81F30E6-F5F1-62DF-A205-000000006F02}10436C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282509Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:57.698{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F5F1-62DF-9D05-000000006F02}7320C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282508Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:57.698{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F5F1-62DF-9D05-000000006F02}7320C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282507Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:57.698{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F5F1-62DF-9D05-000000006F02}7320C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282506Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:57.698{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F5F1-62DF-9D05-000000006F02}7320C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282505Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:57.698{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F5F1-62DF-9C05-000000006F02}9040C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282504Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:57.698{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F5F1-62DF-9E05-000000006F02}9404C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282503Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:57.698{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F5F1-62DF-9E05-000000006F02}9404C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282502Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:57.698{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F5F1-62DF-9E05-000000006F02}9404C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282501Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:57.698{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F5F1-62DF-9E05-000000006F02}9404C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282500Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:57.698{F81F30E6-D9BA-62DF-8100-000000006F02}38882172C:\Windows\system32\csrss.exe{F81F30E6-F5F1-62DF-A305-000000006F02}7348C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000282499Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:57.698{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F5F1-62DF-A305-000000006F02}7348C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282498Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:57.682{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282497Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:57.682{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282496Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:57.682{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282495Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:57.682{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282494Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:57.682{F81F30E6-D9BA-62DF-8100-000000006F02}38884056C:\Windows\system32\csrss.exe{F81F30E6-F5F1-62DF-A205-000000006F02}10436C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000282493Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:57.682{F81F30E6-F163-62DF-1F04-000000006F02}226410536C:\Temp\dcrat.exe{F81F30E6-F5F1-62DF-A205-000000006F02}10436C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\System32\windows.storage.dll+16e7eb|C:\Windows\System32\windows.storage.dll+16e501|C:\Windows\System32\windows.storage.dll+16e14e|C:\Windows\System32\windows.storage.dll+16f3f0|C:\Windows\System32\windows.storage.dll+16de9e|C:\Windows\System32\windows.storage.dll+fce6d|C:\Windows\System32\windows.storage.dll+fd5ac|C:\Windows\System32\windows.storage.dll+fc910|C:\Windows\System32\shell32.dll+49cdf|C:\Windows\System32\shell32.dll+49b6c|C:\Windows\System32\shell32.dll+498bc|C:\Windows\System32\shell32.dll+10d2c7|C:\Windows\System32\shell32.dll+10d225|UNKNOWN(00007FF984B29B5F) 154100x8000000000000000282492Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:57.694{F81F30E6-F5F1-62DF-A205-000000006F02}10436C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" "C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe"C:\Temp\dcrat.exe" 10341000x8000000000000000282491Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:57.682{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F5F1-62DF-A205-000000006F02}10436C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282490Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:57.682{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F5F1-62DF-9C05-000000006F02}9040C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282489Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:57.667{F81F30E6-D97C-62DF-1500-000000006F02}12281712C:\Windows\System32\svchost.exe{F81F30E6-F5F1-62DF-A105-000000006F02}5440C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282488Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:57.667{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F5F1-62DF-A105-000000006F02}5440C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282487Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:57.667{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-F5F1-62DF-9B05-000000006F02}9076C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282486Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:57.667{F81F30E6-F5F1-62DF-A105-000000006F02}544010464C:\Windows\system32\conhost.exe{F81F30E6-F5F1-62DF-A005-000000006F02}9240C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282485Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:57.653{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F5F1-62DF-9B05-000000006F02}9076C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282484Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:57.653{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F5F1-62DF-9B05-000000006F02}9076C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282483Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:57.653{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F5F1-62DF-9B05-000000006F02}9076C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282482Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:57.653{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F5F1-62DF-9B05-000000006F02}9076C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282481Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:57.653{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F5F1-62DF-9C05-000000006F02}9040C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282480Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:57.653{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F5F1-62DF-9C05-000000006F02}9040C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282479Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:57.653{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F5F1-62DF-9C05-000000006F02}9040C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282478Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:57.653{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F5F1-62DF-9C05-000000006F02}9040C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282477Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:57.653{F81F30E6-D9BA-62DF-8100-000000006F02}38882172C:\Windows\system32\csrss.exe{F81F30E6-F5F1-62DF-A105-000000006F02}5440C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000282476Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:57.635{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F5F1-62DF-A105-000000006F02}5440C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282475Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:57.635{F81F30E6-D97C-62DF-1500-000000006F02}12281712C:\Windows\System32\svchost.exe{F81F30E6-F5F1-62DF-9F05-000000006F02}11228C:\Windows\system32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282474Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:57.635{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F5F1-62DF-9F05-000000006F02}11228C:\Windows\system32\notepad.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282473Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:57.635{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F5F1-62DF-9905-000000006F02}8816C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282472Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:57.635{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282471Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:57.635{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282470Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:57.635{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282469Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:57.635{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282468Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:57.635{F81F30E6-D9BA-62DF-8100-000000006F02}38884516C:\Windows\system32\csrss.exe{F81F30E6-F5F1-62DF-A005-000000006F02}9240C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000282467Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:57.635{F81F30E6-F163-62DF-1F04-000000006F02}22648832C:\Temp\dcrat.exe{F81F30E6-F5F1-62DF-A005-000000006F02}9240C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\System32\windows.storage.dll+16e7eb|C:\Windows\System32\windows.storage.dll+16e501|C:\Windows\System32\windows.storage.dll+16e14e|C:\Windows\System32\windows.storage.dll+16f3f0|C:\Windows\System32\windows.storage.dll+16de9e|C:\Windows\System32\windows.storage.dll+fce6d|C:\Windows\System32\windows.storage.dll+fd5ac|C:\Windows\System32\windows.storage.dll+fc910|C:\Windows\System32\shell32.dll+49cdf|C:\Windows\System32\shell32.dll+49b6c|C:\Windows\System32\shell32.dll+498bc|C:\Windows\System32\shell32.dll+10d2c7|C:\Windows\System32\shell32.dll+10d225|UNKNOWN(00007FF984B29B5F) 154100x8000000000000000282466Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:57.642{F81F30E6-F5F1-62DF-A005-000000006F02}9240C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" "C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe"C:\Temp\dcrat.exe" 10341000x8000000000000000282465Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:57.635{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F5F1-62DF-A005-000000006F02}9240C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282464Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:57.630{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-F5F1-62DF-9A05-000000006F02}9028C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282463Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:57.614{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F5F1-62DF-9905-000000006F02}8816C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282462Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:57.614{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-F5F1-62DF-9805-000000006F02}11232C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000282461Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:57.614{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7EBF102E60DBCF72EAA2493861898EFD,SHA256=FAC01989EF6CCEE0E1093DE94E126F7C44001D78C3ECD075C723D1D0E647DB65,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000282460Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:57.614{F81F30E6-D97C-62DF-1500-000000006F02}12281712C:\Windows\System32\svchost.exe{F81F30E6-F5F1-62DF-9E05-000000006F02}9404C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282459Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:57.614{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F5F1-62DF-9E05-000000006F02}9404C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282458Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:57.598{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282457Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:57.598{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282456Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:57.598{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282455Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:57.598{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282454Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:57.598{F81F30E6-F5F1-62DF-9E05-000000006F02}94048976C:\Windows\system32\conhost.exe{F81F30E6-F5F1-62DF-9D05-000000006F02}7320C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282453Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:57.598{F81F30E6-D9BA-62DF-8100-000000006F02}38884516C:\Windows\system32\csrss.exe{F81F30E6-F5F1-62DF-9F05-000000006F02}11228C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000282452Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:57.598{F81F30E6-F5F1-62DF-9605-000000006F02}85321448C:\Windows\system32\cmd.exe{F81F30E6-F5F1-62DF-9F05-000000006F02}11228C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8564|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000282451Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:57.607{F81F30E6-F5F1-62DF-9F05-000000006F02}11228C:\Windows\System32\notepad.exe10.0.14393.4169 (rs1_release.210107-1130)NotepadMicrosoft® Windows® Operating SystemMicrosoft CorporationNOTEPAD.EXEnotepad.exe C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=BA78FCF8CA9D806C6C047357E31748DE,SHA256=34A07759492E31AEC2A009505FE8DFB50242375C4308AD4657B2872F4F75A077,IMPHASH=968239BE2020F1C0DAFFDCDBD49E9C82{F81F30E6-F5F1-62DF-9605-000000006F02}8532C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" " 10341000x8000000000000000282450Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:57.598{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F5F1-62DF-9F05-000000006F02}11228C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282449Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:57.598{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F5F1-62DF-9805-000000006F02}11232C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282448Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:57.598{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F5F1-62DF-9805-000000006F02}11232C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282447Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:57.598{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F5F1-62DF-9805-000000006F02}11232C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282446Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:57.598{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F5F1-62DF-9805-000000006F02}11232C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282445Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:57.582{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F5F1-62DF-9905-000000006F02}8816C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282444Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:57.582{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F5F1-62DF-9905-000000006F02}8816C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282443Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:57.582{F81F30E6-D9BA-62DF-8100-000000006F02}38884516C:\Windows\system32\csrss.exe{F81F30E6-F5F1-62DF-9E05-000000006F02}9404C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000282442Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:57.582{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F5F1-62DF-9905-000000006F02}8816C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282441Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:57.582{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F5F1-62DF-9905-000000006F02}8816C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282440Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:57.582{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F5F1-62DF-9E05-000000006F02}9404C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282439Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:57.582{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282438Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:57.582{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282437Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:57.582{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282436Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:57.582{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282435Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:57.582{F81F30E6-D9BA-62DF-8100-000000006F02}38884056C:\Windows\system32\csrss.exe{F81F30E6-F5F1-62DF-9D05-000000006F02}7320C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000282434Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:57.582{F81F30E6-F163-62DF-1F04-000000006F02}22648268C:\Temp\dcrat.exe{F81F30E6-F5F1-62DF-9D05-000000006F02}7320C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\System32\windows.storage.dll+16e7eb|C:\Windows\System32\windows.storage.dll+16e501|C:\Windows\System32\windows.storage.dll+16e14e|C:\Windows\System32\windows.storage.dll+16f3f0|C:\Windows\System32\windows.storage.dll+16de9e|C:\Windows\System32\windows.storage.dll+fce6d|C:\Windows\System32\windows.storage.dll+fd5ac|C:\Windows\System32\windows.storage.dll+fc910|C:\Windows\System32\shell32.dll+49cdf|C:\Windows\System32\shell32.dll+49b6c|C:\Windows\System32\shell32.dll+498bc|C:\Windows\System32\shell32.dll+10d2c7|C:\Windows\System32\shell32.dll+10d225|UNKNOWN(00007FF984B29B5F) 154100x8000000000000000282433Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:57.585{F81F30E6-F5F1-62DF-9D05-000000006F02}7320C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" "C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe"C:\Temp\dcrat.exe" 10341000x8000000000000000282432Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:57.582{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F5F1-62DF-9D05-000000006F02}7320C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282431Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:57.567{F81F30E6-D97C-62DF-1500-000000006F02}12281712C:\Windows\System32\svchost.exe{F81F30E6-F5F1-62DF-9C05-000000006F02}9040C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282430Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:57.567{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F5F1-62DF-9C05-000000006F02}9040C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282429Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:57.551{F81F30E6-F5F1-62DF-9C05-000000006F02}90404360C:\Windows\system32\conhost.exe{F81F30E6-F5F1-62DF-9B05-000000006F02}9076C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282428Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:57.551{F81F30E6-D9BD-62DF-9000-000000006F02}46887284C:\Windows\Explorer.EXE{F81F30E6-F5F1-62DF-9605-000000006F02}8532C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282427Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:57.551{F81F30E6-D9BD-62DF-9000-000000006F02}46887284C:\Windows\Explorer.EXE{F81F30E6-F5F1-62DF-9605-000000006F02}8532C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282426Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:57.551{F81F30E6-D9BD-62DF-9000-000000006F02}46887284C:\Windows\Explorer.EXE{F81F30E6-F5F1-62DF-9605-000000006F02}8532C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282425Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:57.535{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282424Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:57.535{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282423Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:57.535{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282422Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:57.535{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282421Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:57.535{F81F30E6-D97C-62DF-1500-000000006F02}12281712C:\Windows\System32\svchost.exe{F81F30E6-F5F1-62DF-9A05-000000006F02}9028C:\Windows\system32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282420Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:57.535{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F5F1-62DF-9A05-000000006F02}9028C:\Windows\system32\notepad.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282419Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:57.535{F81F30E6-D9BA-62DF-8100-000000006F02}38882172C:\Windows\system32\csrss.exe{F81F30E6-F5F1-62DF-9C05-000000006F02}9040C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000282418Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:57.535{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F5F1-62DF-9705-000000006F02}3452C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282417Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:57.535{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F5F1-62DF-9C05-000000006F02}9040C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282416Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:57.534{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F5F1-62DF-9705-000000006F02}3452C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282415Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:57.529{F81F30E6-D9BA-62DF-8100-000000006F02}38884056C:\Windows\system32\csrss.exe{F81F30E6-F5F1-62DF-9B05-000000006F02}9076C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000282414Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:57.529{F81F30E6-F163-62DF-1F04-000000006F02}22648704C:\Temp\dcrat.exe{F81F30E6-F5F1-62DF-9B05-000000006F02}9076C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\System32\windows.storage.dll+16e7eb|C:\Windows\System32\windows.storage.dll+16e501|C:\Windows\System32\windows.storage.dll+16e14e|C:\Windows\System32\windows.storage.dll+16f3f0|C:\Windows\System32\windows.storage.dll+16de9e|C:\Windows\System32\windows.storage.dll+fce6d|C:\Windows\System32\windows.storage.dll+fd5ac|C:\Windows\System32\windows.storage.dll+fc910|C:\Windows\System32\shell32.dll+49cdf|C:\Windows\System32\shell32.dll+49b6c|C:\Windows\System32\shell32.dll+498bc|C:\Windows\System32\shell32.dll+10d2c7|C:\Windows\System32\shell32.dll+10d225|UNKNOWN(00007FF984B29B5F) 154100x8000000000000000282413Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:57.529{F81F30E6-F5F1-62DF-9B05-000000006F02}9076C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" "C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe"C:\Temp\dcrat.exe" 10341000x8000000000000000282412Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:57.514{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F5F1-62DF-9B05-000000006F02}9076C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282411Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:57.514{F81F30E6-D97C-62DF-1500-000000006F02}12281712C:\Windows\System32\svchost.exe{F81F30E6-F5F1-62DF-9905-000000006F02}8816C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282410Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:57.514{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F5F1-62DF-9905-000000006F02}8816C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282409Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:57.498{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-F5F1-62DF-9605-000000006F02}8532C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282408Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:57.498{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F5F1-62DF-9605-000000006F02}8532C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282407Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:57.498{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282406Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:57.498{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282405Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:57.498{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F5F1-62DF-9605-000000006F02}8532C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282404Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:57.498{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F5F1-62DF-9605-000000006F02}8532C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282403Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:57.498{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282402Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:57.498{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282401Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:57.498{F81F30E6-F5F1-62DF-9905-000000006F02}88169124C:\Windows\system32\conhost.exe{F81F30E6-F5F1-62DF-9805-000000006F02}11232C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282400Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:57.498{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F5F1-62DF-9605-000000006F02}8532C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282399Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:57.498{F81F30E6-D9BA-62DF-8100-000000006F02}38882172C:\Windows\system32\csrss.exe{F81F30E6-F5F1-62DF-9A05-000000006F02}9028C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000282398Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:57.498{F81F30E6-F5F1-62DF-9405-000000006F02}82369688C:\Windows\system32\cmd.exe{F81F30E6-F5F1-62DF-9A05-000000006F02}9028C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8564|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000282397Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:57.507{F81F30E6-F5F1-62DF-9A05-000000006F02}9028C:\Windows\System32\notepad.exe10.0.14393.4169 (rs1_release.210107-1130)NotepadMicrosoft® Windows® Operating SystemMicrosoft CorporationNOTEPAD.EXEnotepad.exe C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=BA78FCF8CA9D806C6C047357E31748DE,SHA256=34A07759492E31AEC2A009505FE8DFB50242375C4308AD4657B2872F4F75A077,IMPHASH=968239BE2020F1C0DAFFDCDBD49E9C82{F81F30E6-F5F1-62DF-9405-000000006F02}8236C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" " 10341000x8000000000000000282396Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:57.498{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F5F1-62DF-9A05-000000006F02}9028C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282395Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:57.498{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F5F1-62DF-9705-000000006F02}3452C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282394Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:57.498{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F5F1-62DF-9705-000000006F02}3452C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282393Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:57.498{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F5F1-62DF-9705-000000006F02}3452C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282392Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:57.498{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F5F1-62DF-9705-000000006F02}3452C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282391Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:57.483{F81F30E6-D9BA-62DF-8100-000000006F02}38884056C:\Windows\system32\csrss.exe{F81F30E6-F5F1-62DF-9905-000000006F02}8816C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000282390Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:57.483{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F5F1-62DF-9905-000000006F02}8816C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282389Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:57.483{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282388Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:57.483{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282387Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:57.483{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282386Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:57.483{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282385Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:57.483{F81F30E6-D9BA-62DF-8100-000000006F02}38884056C:\Windows\system32\csrss.exe{F81F30E6-F5F1-62DF-9805-000000006F02}11232C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000282384Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:57.483{F81F30E6-F163-62DF-1F04-000000006F02}22642556C:\Temp\dcrat.exe{F81F30E6-F5F1-62DF-9805-000000006F02}11232C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\System32\windows.storage.dll+16e7eb|C:\Windows\System32\windows.storage.dll+16e501|C:\Windows\System32\windows.storage.dll+16e14e|C:\Windows\System32\windows.storage.dll+16f3f0|C:\Windows\System32\windows.storage.dll+16de9e|C:\Windows\System32\windows.storage.dll+fce6d|C:\Windows\System32\windows.storage.dll+fd5ac|C:\Windows\System32\windows.storage.dll+fc910|C:\Windows\System32\shell32.dll+49cdf|C:\Windows\System32\shell32.dll+49b6c|C:\Windows\System32\shell32.dll+498bc|C:\Windows\System32\shell32.dll+10d2c7|C:\Windows\System32\shell32.dll+10d225|UNKNOWN(00007FF984B29B5F) 154100x8000000000000000282383Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:57.490{F81F30E6-F5F1-62DF-9805-000000006F02}11232C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" "C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe"C:\Temp\dcrat.exe" 10341000x8000000000000000282382Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:57.483{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F5F1-62DF-9805-000000006F02}11232C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282381Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:57.483{F81F30E6-D9BD-62DF-9000-000000006F02}46887284C:\Windows\Explorer.EXE{F81F30E6-F5F1-62DF-9405-000000006F02}8236C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282380Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:57.483{F81F30E6-D9BD-62DF-9000-000000006F02}46887284C:\Windows\Explorer.EXE{F81F30E6-F5F1-62DF-9405-000000006F02}8236C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282379Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:57.483{F81F30E6-D9BD-62DF-9000-000000006F02}46887284C:\Windows\Explorer.EXE{F81F30E6-F5F1-62DF-9405-000000006F02}8236C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282378Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:57.483{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F5F1-62DF-9505-000000006F02}9732C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282377Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:57.483{F81F30E6-D97C-62DF-1500-000000006F02}12281712C:\Windows\System32\svchost.exe{F81F30E6-F5F1-62DF-9705-000000006F02}3452C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282376Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:57.483{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F5F1-62DF-9505-000000006F02}9732C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282375Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:57.483{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F5F1-62DF-9705-000000006F02}3452C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282374Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:57.467{F81F30E6-F5F1-62DF-9705-000000006F02}34528616C:\Windows\system32\conhost.exe{F81F30E6-F5F1-62DF-9605-000000006F02}8532C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282373Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:57.467{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-F5F1-62DF-9405-000000006F02}8236C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282372Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:57.467{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F5F1-62DF-9405-000000006F02}8236C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282371Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:57.467{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F5F1-62DF-9405-000000006F02}8236C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282370Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:57.467{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F5F1-62DF-9405-000000006F02}8236C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282369Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:57.467{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F5F1-62DF-9405-000000006F02}8236C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282368Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:57.467{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F5F1-62DF-9505-000000006F02}9732C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282367Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:57.467{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F5F1-62DF-9505-000000006F02}9732C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282366Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:57.467{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F5F1-62DF-9505-000000006F02}9732C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282365Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:57.467{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F5F1-62DF-9505-000000006F02}9732C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282364Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:57.451{F81F30E6-D9BA-62DF-8100-000000006F02}38884056C:\Windows\system32\csrss.exe{F81F30E6-F5F1-62DF-9705-000000006F02}3452C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000282363Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:57.451{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F5F1-62DF-9705-000000006F02}3452C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282362Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:57.451{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282361Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:57.451{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282360Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:57.451{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282359Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:57.451{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282358Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:57.451{F81F30E6-D9BA-62DF-8100-000000006F02}38884056C:\Windows\system32\csrss.exe{F81F30E6-F5F1-62DF-9605-000000006F02}8532C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000282357Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:57.451{F81F30E6-F163-62DF-1F04-000000006F02}22649748C:\Temp\dcrat.exe{F81F30E6-F5F1-62DF-9605-000000006F02}8532C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\System32\windows.storage.dll+16e7eb|C:\Windows\System32\windows.storage.dll+16e501|C:\Windows\System32\windows.storage.dll+16e14e|C:\Windows\System32\windows.storage.dll+16f3f0|C:\Windows\System32\windows.storage.dll+16de9e|C:\Windows\System32\windows.storage.dll+fce6d|C:\Windows\System32\windows.storage.dll+fd5ac|C:\Windows\System32\windows.storage.dll+fc910|C:\Windows\System32\shell32.dll+49cdf|C:\Windows\System32\shell32.dll+49b6c|C:\Windows\System32\shell32.dll+498bc|C:\Windows\System32\shell32.dll+10d2c7|C:\Windows\System32\shell32.dll+10d225|UNKNOWN(00007FF984B29B5F) 154100x8000000000000000282356Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:57.460{F81F30E6-F5F1-62DF-9605-000000006F02}8532C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" "C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe"C:\Temp\dcrat.exe" 10341000x8000000000000000282355Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:57.451{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F5F1-62DF-9605-000000006F02}8532C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282354Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:57.451{F81F30E6-D97C-62DF-1500-000000006F02}12281712C:\Windows\System32\svchost.exe{F81F30E6-F5F1-62DF-9505-000000006F02}9732C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282353Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:57.451{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F5F1-62DF-9505-000000006F02}9732C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282352Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:57.451{F81F30E6-F5F1-62DF-9505-000000006F02}97328528C:\Windows\system32\conhost.exe{F81F30E6-F5F1-62DF-9405-000000006F02}8236C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282351Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:57.436{F81F30E6-D9BA-62DF-8100-000000006F02}38882172C:\Windows\system32\csrss.exe{F81F30E6-F5F1-62DF-9505-000000006F02}9732C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000282350Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:57.436{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F5F1-62DF-9505-000000006F02}9732C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282349Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:57.436{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282348Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:57.436{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282347Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:57.436{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282346Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:57.436{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282345Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:57.436{F81F30E6-D9BA-62DF-8100-000000006F02}38882172C:\Windows\system32\csrss.exe{F81F30E6-F5F1-62DF-9405-000000006F02}8236C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000282344Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:57.436{F81F30E6-F163-62DF-1F04-000000006F02}226411188C:\Temp\dcrat.exe{F81F30E6-F5F1-62DF-9405-000000006F02}8236C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\System32\windows.storage.dll+16e7eb|C:\Windows\System32\windows.storage.dll+16e501|C:\Windows\System32\windows.storage.dll+16e14e|C:\Windows\System32\windows.storage.dll+16f3f0|C:\Windows\System32\windows.storage.dll+16de9e|C:\Windows\System32\windows.storage.dll+fce6d|C:\Windows\System32\windows.storage.dll+fd5ac|C:\Windows\System32\windows.storage.dll+fc910|C:\Windows\System32\shell32.dll+49cdf|C:\Windows\System32\shell32.dll+49b6c|C:\Windows\System32\shell32.dll+498bc|C:\Windows\System32\shell32.dll+10d2c7|C:\Windows\System32\shell32.dll+10d225|UNKNOWN(00007FF984B29B5F) 154100x8000000000000000282343Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:57.435{F81F30E6-F5F1-62DF-9405-000000006F02}8236C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" "C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe"C:\Temp\dcrat.exe" 10341000x8000000000000000282342Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:57.435{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F5F1-62DF-9405-000000006F02}8236C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000282341Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:57.098{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B329CAD214EE3C397F693412B317930B,SHA256=098975448482D8407E251AC8C6467541DDA024F88783D5210710776B122EF62C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054839Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:10:58.160{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=254DE5FEB5B8D131723370A8BFD36792,SHA256=3C3B29728B490C2F54EF9D86EE6BCF978B9654180CF5C4606A6D4635E7D1F8F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000282907Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:58.997{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A88816ED0DD1203536AFFD16FFE6D098,SHA256=2CA0F45691D8316895C13E5A5940940319D44BE4E307CD8A411C7C87215A6B3F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000282906Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:58.831{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-F5F2-62DF-B705-000000006F02}10576C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282905Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:58.829{F81F30E6-D9BD-62DF-9000-000000006F02}46887284C:\Windows\Explorer.EXE{F81F30E6-F5F2-62DF-B705-000000006F02}10576C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282904Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:58.813{F81F30E6-D9BD-62DF-9000-000000006F02}46887284C:\Windows\Explorer.EXE{F81F30E6-F5F2-62DF-B705-000000006F02}10576C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282903Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:58.813{F81F30E6-D9BD-62DF-9000-000000006F02}46887284C:\Windows\Explorer.EXE{F81F30E6-F5F2-62DF-B705-000000006F02}10576C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282902Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:58.797{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F5F2-62DF-B705-000000006F02}10576C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282901Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:58.797{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F5F2-62DF-B705-000000006F02}10576C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282900Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:58.797{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F5F2-62DF-B705-000000006F02}10576C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282899Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:58.797{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F5F2-62DF-B705-000000006F02}10576C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282898Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:58.782{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F5F2-62DF-B705-000000006F02}10576C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282897Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:58.766{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F5F2-62DF-B605-000000006F02}10612C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282896Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:58.766{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F5F2-62DF-B605-000000006F02}10612C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282895Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:58.766{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F5F2-62DF-B605-000000006F02}10612C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282894Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:58.766{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F5F2-62DF-B605-000000006F02}10612C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282893Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:58.766{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F5F2-62DF-B705-000000006F02}10576C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282892Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:58.766{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F5F2-62DF-B505-000000006F02}6204C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282891Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:58.766{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F5F2-62DF-B505-000000006F02}6204C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282890Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:58.766{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F5F2-62DF-B505-000000006F02}6204C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282889Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:58.766{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F5F2-62DF-B505-000000006F02}6204C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282888Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:58.751{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F5F2-62DF-B605-000000006F02}10612C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282887Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:58.751{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F5F2-62DF-B705-000000006F02}10576C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282886Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:58.751{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F5F2-62DF-B705-000000006F02}10576C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282885Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:58.751{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F5F2-62DF-B705-000000006F02}10576C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282884Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:58.751{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F5F2-62DF-B705-000000006F02}10576C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282883Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:58.735{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F5F2-62DF-B405-000000006F02}6424C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282882Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:58.735{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F5F2-62DF-B405-000000006F02}6424C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282881Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:58.735{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F5F2-62DF-B405-000000006F02}6424C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282880Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:58.735{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F5F2-62DF-B605-000000006F02}10612C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282879Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:58.735{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F5F2-62DF-B405-000000006F02}6424C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282878Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:58.733{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F5F2-62DF-B505-000000006F02}6204C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282877Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:58.713{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F5F2-62DF-B505-000000006F02}6204C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282876Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:58.713{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F5F2-62DF-B305-000000006F02}7428C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282875Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:58.713{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F5F2-62DF-B305-000000006F02}7428C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282874Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:58.713{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F5F2-62DF-B305-000000006F02}7428C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282873Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:58.713{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F5F2-62DF-B305-000000006F02}7428C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282872Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:58.713{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F5F2-62DF-B605-000000006F02}10612C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282871Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:58.713{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F5F2-62DF-B605-000000006F02}10612C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282870Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:58.713{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F5F2-62DF-B605-000000006F02}10612C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282869Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:58.713{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F5F2-62DF-B605-000000006F02}10612C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282868Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:58.698{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F5F2-62DF-B405-000000006F02}6424C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282867Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:58.682{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F5F2-62DF-B505-000000006F02}6204C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282866Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:58.682{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F5F2-62DF-B505-000000006F02}6204C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282865Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:58.682{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F5F2-62DF-B505-000000006F02}6204C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282864Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:58.682{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F5F2-62DF-B505-000000006F02}6204C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282863Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:58.682{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F5F2-62DF-B405-000000006F02}6424C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282862Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:58.682{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F5F2-62DF-B205-000000006F02}5720C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282861Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:58.682{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F5F2-62DF-B205-000000006F02}5720C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282860Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:58.682{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F5F2-62DF-B205-000000006F02}5720C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282859Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:58.682{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F5F2-62DF-B205-000000006F02}5720C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282858Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:58.666{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F5F2-62DF-B305-000000006F02}7428C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282857Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:58.651{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F5F2-62DF-B405-000000006F02}6424C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282856Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:58.651{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F5F2-62DF-B405-000000006F02}6424C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282855Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:58.651{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F5F2-62DF-B405-000000006F02}6424C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282854Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:58.651{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F5F2-62DF-B405-000000006F02}6424C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282853Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:58.651{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F5F2-62DF-B305-000000006F02}7428C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000282852Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:58.651{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00C69B030F7D5151FC192097534FC245,SHA256=B6F80BA72D3D82C0082177F2BC4B6C8F1527E9FA3916A8192B775FFA8697FE6E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000282851Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:58.651{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F5F2-62DF-B105-000000006F02}8132C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282850Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:58.651{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F5F2-62DF-B105-000000006F02}8132C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282849Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:58.651{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F5F2-62DF-B105-000000006F02}8132C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282848Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:58.635{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F5F2-62DF-B105-000000006F02}8132C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282847Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:58.635{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F5F2-62DF-B205-000000006F02}5720C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282846Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:58.631{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-F5F2-62DF-B705-000000006F02}10576C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282845Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:58.613{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F5F2-62DF-B305-000000006F02}7428C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282844Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:58.613{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F5F2-62DF-B305-000000006F02}7428C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282843Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:58.613{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F5F2-62DF-B305-000000006F02}7428C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282842Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:58.613{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F5F2-62DF-B305-000000006F02}7428C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282841Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:58.613{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F5F2-62DF-B205-000000006F02}5720C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000282840Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:58.582{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A1FA886DBDABC0B09F61DA52C1091F9E,SHA256=61F1C68EA54E0EEABA49D63AF01F7BC881E17C7AA968776516F875C1A83BAD83,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000282839Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:58.582{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F5F1-62DF-AC05-000000006F02}8484C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282838Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:58.582{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F5F1-62DF-AC05-000000006F02}8484C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282837Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:58.582{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F5F1-62DF-AC05-000000006F02}8484C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282836Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:58.566{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F5F2-62DF-B205-000000006F02}5720C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282835Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:58.566{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-F5F2-62DF-B605-000000006F02}10612C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282834Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:58.566{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F5F2-62DF-B205-000000006F02}5720C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282833Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:58.566{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F5F2-62DF-B205-000000006F02}5720C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282832Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:58.566{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F5F2-62DF-B205-000000006F02}5720C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282831Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:58.566{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F5F1-62DF-AC05-000000006F02}8484C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282830Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:58.551{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F5F2-62DF-B105-000000006F02}8132C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000282829Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:58.551{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6743FFC621C499D3DEECDF44006A64C8,SHA256=9AC67D6032212BEC9021B15B6EEDB2F5E09ED6A2C027C9697D31747D9D490261,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000282828Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:58.551{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F5F2-62DF-B105-000000006F02}8132C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282827Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:58.551{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-F5F2-62DF-B505-000000006F02}6204C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282826Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:58.534{F81F30E6-D97C-62DF-1500-000000006F02}12281712C:\Windows\System32\svchost.exe{F81F30E6-F5F2-62DF-B705-000000006F02}10576C:\Windows\system32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282825Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:58.534{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F5F2-62DF-B705-000000006F02}10576C:\Windows\system32\notepad.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000282824Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:58.532{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76C310801A9EA1D21DEA113498F0DADB,SHA256=DBB87D14853387EAC8A43D17DEC756B31C4AF914221A46A1A0C9AB2CB98F9ED6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000282823Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:58.513{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F5F1-62DF-A905-000000006F02}9956C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282822Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:58.513{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F5F1-62DF-A905-000000006F02}9956C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282821Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:58.513{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F5F1-62DF-A905-000000006F02}9956C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282820Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:58.498{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F5F1-62DF-A905-000000006F02}9956C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282819Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:58.498{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F5F1-62DF-AC05-000000006F02}8484C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282818Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:58.498{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F5F2-62DF-B105-000000006F02}8132C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282817Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:58.498{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F5F2-62DF-B105-000000006F02}8132C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282816Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:58.498{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-F5F2-62DF-B405-000000006F02}6424C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282815Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:58.498{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F5F2-62DF-B105-000000006F02}8132C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282814Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:58.498{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F5F2-62DF-B105-000000006F02}8132C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282813Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:58.498{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282812Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:58.498{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282811Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:58.498{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282810Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:58.498{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282809Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:58.498{F81F30E6-D9BA-62DF-8100-000000006F02}38884056C:\Windows\system32\csrss.exe{F81F30E6-F5F2-62DF-B705-000000006F02}10576C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000282808Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:58.498{F81F30E6-F5F2-62DF-AF05-000000006F02}80807976C:\Windows\system32\cmd.exe{F81F30E6-F5F2-62DF-B705-000000006F02}10576C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8564|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000282807Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:58.498{F81F30E6-F5F2-62DF-B705-000000006F02}10576C:\Windows\System32\notepad.exe10.0.14393.4169 (rs1_release.210107-1130)NotepadMicrosoft® Windows® Operating SystemMicrosoft CorporationNOTEPAD.EXEnotepad.exe C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=BA78FCF8CA9D806C6C047357E31748DE,SHA256=34A07759492E31AEC2A009505FE8DFB50242375C4308AD4657B2872F4F75A077,IMPHASH=968239BE2020F1C0DAFFDCDBD49E9C82{F81F30E6-F5F2-62DF-AF05-000000006F02}8080C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" " 10341000x8000000000000000282806Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:58.498{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F5F2-62DF-B705-000000006F02}10576C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282805Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:58.482{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F5F1-62DF-A405-000000006F02}3440C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282804Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:58.482{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F5F1-62DF-A405-000000006F02}3440C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282803Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:58.482{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F5F1-62DF-A405-000000006F02}3440C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282802Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:58.482{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F5F1-62DF-A405-000000006F02}3440C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282801Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:58.482{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F5F2-62DF-AF05-000000006F02}8080C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282800Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:58.482{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F5F2-62DF-AF05-000000006F02}8080C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282799Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:58.482{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F5F2-62DF-AF05-000000006F02}8080C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282798Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:58.482{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F5F2-62DF-AF05-000000006F02}8080C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282797Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:58.482{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F5F1-62DF-AC05-000000006F02}8484C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282796Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:58.467{F81F30E6-D97C-62DF-1500-000000006F02}12281712C:\Windows\System32\svchost.exe{F81F30E6-F5F2-62DF-B605-000000006F02}10612C:\Windows\system32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282795Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:58.467{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F5F2-62DF-B605-000000006F02}10612C:\Windows\system32\notepad.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282794Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:58.451{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-F5F2-62DF-B305-000000006F02}7428C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282793Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:58.435{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F5F1-62DF-A905-000000006F02}9956C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282792Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:58.435{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282791Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:58.435{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282790Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:58.435{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282789Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:58.435{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282788Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:58.435{F81F30E6-D9BA-62DF-8100-000000006F02}38884056C:\Windows\system32\csrss.exe{F81F30E6-F5F2-62DF-B605-000000006F02}10612C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000282787Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:58.435{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F5F1-62DF-AC05-000000006F02}8484C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282786Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:58.435{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F5F1-62DF-AC05-000000006F02}8484C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282785Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:58.435{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F5F1-62DF-AC05-000000006F02}8484C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282784Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:58.435{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F5F1-62DF-AC05-000000006F02}8484C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282783Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:58.435{F81F30E6-F5F1-62DF-AD05-000000006F02}240010248C:\Windows\system32\cmd.exe{F81F30E6-F5F2-62DF-B605-000000006F02}10612C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8564|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000282782Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:58.439{F81F30E6-F5F2-62DF-B605-000000006F02}10612C:\Windows\System32\notepad.exe10.0.14393.4169 (rs1_release.210107-1130)NotepadMicrosoft® Windows® Operating SystemMicrosoft CorporationNOTEPAD.EXEnotepad.exe C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=BA78FCF8CA9D806C6C047357E31748DE,SHA256=34A07759492E31AEC2A009505FE8DFB50242375C4308AD4657B2872F4F75A077,IMPHASH=968239BE2020F1C0DAFFDCDBD49E9C82{F81F30E6-F5F1-62DF-AD05-000000006F02}2400C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" " 10341000x8000000000000000282781Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:58.435{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F5F2-62DF-B605-000000006F02}10612C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282780Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:58.414{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282779Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:58.414{F81F30E6-D97C-62DF-1500-000000006F02}12281712C:\Windows\System32\svchost.exe{F81F30E6-F5F2-62DF-B505-000000006F02}6204C:\Windows\system32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282778Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:58.414{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F5F2-62DF-B505-000000006F02}6204C:\Windows\system32\notepad.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282777Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:58.414{F81F30E6-D9BD-62DF-9000-000000006F02}46887284C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282776Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:58.414{F81F30E6-D9BD-62DF-9000-000000006F02}46887284C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282775Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:58.414{F81F30E6-D9BD-62DF-9000-000000006F02}46887284C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282774Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:58.414{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F5F1-62DF-A905-000000006F02}9956C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282773Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:58.398{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F5F1-62DF-AD05-000000006F02}2400C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282772Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:58.398{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F5F1-62DF-AD05-000000006F02}2400C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282771Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:58.398{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F5F1-62DF-AD05-000000006F02}2400C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282770Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:58.398{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F5F1-62DF-AD05-000000006F02}2400C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282769Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:58.382{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282768Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:58.382{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282767Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:58.382{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282766Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:58.382{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282765Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:58.382{F81F30E6-D9BA-62DF-8100-000000006F02}38882172C:\Windows\system32\csrss.exe{F81F30E6-F5F2-62DF-B505-000000006F02}6204C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000282764Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:58.382{F81F30E6-F5F1-62DF-AA05-000000006F02}13565392C:\Windows\system32\cmd.exe{F81F30E6-F5F2-62DF-B505-000000006F02}6204C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8564|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000282763Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:58.394{F81F30E6-F5F2-62DF-B505-000000006F02}6204C:\Windows\System32\notepad.exe10.0.14393.4169 (rs1_release.210107-1130)NotepadMicrosoft® Windows® Operating SystemMicrosoft CorporationNOTEPAD.EXEnotepad.exe C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=BA78FCF8CA9D806C6C047357E31748DE,SHA256=34A07759492E31AEC2A009505FE8DFB50242375C4308AD4657B2872F4F75A077,IMPHASH=968239BE2020F1C0DAFFDCDBD49E9C82{F81F30E6-F5F1-62DF-AA05-000000006F02}1356C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" " 10341000x8000000000000000282762Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:58.382{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F5F2-62DF-B505-000000006F02}6204C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282761Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:58.382{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F5F2-62DF-B005-000000006F02}7336C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282760Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:58.382{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-F5F2-62DF-B205-000000006F02}5720C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282759Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:58.367{F81F30E6-D97C-62DF-1500-000000006F02}12281712C:\Windows\System32\svchost.exe{F81F30E6-F5F2-62DF-B405-000000006F02}6424C:\Windows\system32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282758Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:58.367{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F5F2-62DF-B405-000000006F02}6424C:\Windows\system32\notepad.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282757Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:58.351{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F5F1-62DF-A905-000000006F02}9956C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282756Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:58.351{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F5F1-62DF-A905-000000006F02}9956C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282755Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:58.351{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F5F1-62DF-A905-000000006F02}9956C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282754Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:58.351{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F5F1-62DF-A905-000000006F02}9956C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282753Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:58.351{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F5F2-62DF-B005-000000006F02}7336C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282752Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:58.335{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F5F1-62DF-A405-000000006F02}3440C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282751Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:58.335{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282750Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:58.335{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282749Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:58.335{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282748Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:58.335{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282747Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:58.335{F81F30E6-D9BA-62DF-8100-000000006F02}38884516C:\Windows\system32\csrss.exe{F81F30E6-F5F2-62DF-B405-000000006F02}6424C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000282746Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:58.335{F81F30E6-F5F1-62DF-A705-000000006F02}98925860C:\Windows\system32\cmd.exe{F81F30E6-F5F2-62DF-B405-000000006F02}6424C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8564|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000282745Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:58.341{F81F30E6-F5F2-62DF-B405-000000006F02}6424C:\Windows\System32\notepad.exe10.0.14393.4169 (rs1_release.210107-1130)NotepadMicrosoft® Windows® Operating SystemMicrosoft CorporationNOTEPAD.EXEnotepad.exe C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=BA78FCF8CA9D806C6C047357E31748DE,SHA256=34A07759492E31AEC2A009505FE8DFB50242375C4308AD4657B2872F4F75A077,IMPHASH=968239BE2020F1C0DAFFDCDBD49E9C82{F81F30E6-F5F1-62DF-A705-000000006F02}9892C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" " 10341000x8000000000000000282744Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:58.335{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F5F2-62DF-B405-000000006F02}6424C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282743Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:58.314{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F5F1-62DF-A405-000000006F02}3440C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282742Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:58.314{F81F30E6-D97C-62DF-1500-000000006F02}12281712C:\Windows\System32\svchost.exe{F81F30E6-F5F2-62DF-B305-000000006F02}7428C:\Windows\system32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282741Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:58.314{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F5F2-62DF-B305-000000006F02}7428C:\Windows\system32\notepad.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282740Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:58.298{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F5F1-62DF-AE05-000000006F02}10328C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282739Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:58.282{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-F5F2-62DF-B105-000000006F02}8132C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282738Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:58.282{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282737Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:58.282{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282736Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:58.282{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282735Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:58.282{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282734Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:58.282{F81F30E6-D9BA-62DF-8100-000000006F02}38882172C:\Windows\system32\csrss.exe{F81F30E6-F5F2-62DF-B305-000000006F02}7428C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000282733Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:58.282{F81F30E6-F5F1-62DF-A505-000000006F02}95289524C:\Windows\system32\cmd.exe{F81F30E6-F5F2-62DF-B305-000000006F02}7428C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8564|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000282732Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:58.290{F81F30E6-F5F2-62DF-B305-000000006F02}7428C:\Windows\System32\notepad.exe10.0.14393.4169 (rs1_release.210107-1130)NotepadMicrosoft® Windows® Operating SystemMicrosoft CorporationNOTEPAD.EXEnotepad.exe C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=BA78FCF8CA9D806C6C047357E31748DE,SHA256=34A07759492E31AEC2A009505FE8DFB50242375C4308AD4657B2872F4F75A077,IMPHASH=968239BE2020F1C0DAFFDCDBD49E9C82{F81F30E6-F5F1-62DF-A505-000000006F02}9528C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" " 10341000x8000000000000000282731Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:58.282{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F5F2-62DF-B305-000000006F02}7428C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282730Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:58.282{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F5F1-62DF-AE05-000000006F02}10328C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282729Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:58.267{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F5F1-62DF-A405-000000006F02}3440C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282728Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:58.267{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F5F1-62DF-A405-000000006F02}3440C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282727Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:58.267{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F5F1-62DF-A405-000000006F02}3440C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282726Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:58.267{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F5F1-62DF-A405-000000006F02}3440C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282725Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:58.267{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F5F2-62DF-B005-000000006F02}7336C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282724Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:58.267{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F5F2-62DF-B005-000000006F02}7336C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282723Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:58.267{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F5F2-62DF-B005-000000006F02}7336C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282722Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:58.267{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F5F2-62DF-B005-000000006F02}7336C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282721Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:58.267{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F5F1-62DF-AA05-000000006F02}1356C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282720Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:58.267{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F5F1-62DF-AA05-000000006F02}1356C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282719Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:58.267{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F5F1-62DF-AA05-000000006F02}1356C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282718Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:58.267{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F5F1-62DF-AA05-000000006F02}1356C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282717Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:58.251{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282716Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:58.251{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282715Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:58.251{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282714Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:58.251{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282713Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:58.251{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F5F1-62DF-AB05-000000006F02}11244C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282712Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:58.251{F81F30E6-D97C-62DF-1500-000000006F02}12281712C:\Windows\System32\svchost.exe{F81F30E6-F5F2-62DF-B205-000000006F02}5720C:\Windows\system32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282711Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:58.251{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F5F2-62DF-B205-000000006F02}5720C:\Windows\system32\notepad.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282710Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:58.229{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F5F1-62DF-AB05-000000006F02}11244C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282709Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:58.214{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F5F1-62DF-AE05-000000006F02}10328C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282708Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:58.214{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F5F1-62DF-AE05-000000006F02}10328C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282707Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:58.214{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F5F1-62DF-AE05-000000006F02}10328C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282706Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:58.214{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F5F1-62DF-AE05-000000006F02}10328C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282705Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:58.214{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282704Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:58.214{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282703Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:58.214{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282702Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:58.214{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282701Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:58.214{F81F30E6-D9BA-62DF-8100-000000006F02}38882172C:\Windows\system32\csrss.exe{F81F30E6-F5F2-62DF-B205-000000006F02}5720C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000282700Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:58.214{F81F30E6-F5F1-62DF-A205-000000006F02}1043610540C:\Windows\system32\cmd.exe{F81F30E6-F5F2-62DF-B205-000000006F02}5720C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8564|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000282699Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:58.221{F81F30E6-F5F2-62DF-B205-000000006F02}5720C:\Windows\System32\notepad.exe10.0.14393.4169 (rs1_release.210107-1130)NotepadMicrosoft® Windows® Operating SystemMicrosoft CorporationNOTEPAD.EXEnotepad.exe C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=BA78FCF8CA9D806C6C047357E31748DE,SHA256=34A07759492E31AEC2A009505FE8DFB50242375C4308AD4657B2872F4F75A077,IMPHASH=968239BE2020F1C0DAFFDCDBD49E9C82{F81F30E6-F5F1-62DF-A205-000000006F02}10436C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" " 10341000x8000000000000000282698Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:58.214{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F5F2-62DF-B205-000000006F02}5720C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282697Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:58.214{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-F5F1-62DF-AC05-000000006F02}8484C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282696Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:58.214{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282695Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:58.214{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282694Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:58.214{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282693Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:58.214{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282692Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:58.198{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F5F1-62DF-A805-000000006F02}9772C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000282691Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:58.198{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8EDF0DCBDE3FD9733308AC1FFC83ECF5,SHA256=60EE6D3965AB7227426616AAADDFF4809A032CEABCB6025BCB7DBC45B87C9955,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000282690Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:58.183{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F5F1-62DF-A705-000000006F02}9892C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282689Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:58.183{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F5F1-62DF-A705-000000006F02}9892C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282688Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:58.183{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F5F1-62DF-A705-000000006F02}9892C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282687Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:58.183{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F5F1-62DF-A705-000000006F02}9892C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282686Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:58.183{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F5F1-62DF-9F05-000000006F02}11228C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282685Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:58.167{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F5F1-62DF-A805-000000006F02}9772C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282684Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:58.167{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F5F1-62DF-9F05-000000006F02}11228C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282683Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:58.167{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F5F1-62DF-9F05-000000006F02}11228C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282682Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:58.167{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F5F1-62DF-9F05-000000006F02}11228C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282681Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:58.167{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F5F1-62DF-9F05-000000006F02}11228C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282680Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:58.167{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F5F1-62DF-AB05-000000006F02}11244C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282679Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:58.167{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F5F1-62DF-AB05-000000006F02}11244C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282678Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:58.167{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F5F1-62DF-AB05-000000006F02}11244C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282677Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:58.167{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F5F1-62DF-AB05-000000006F02}11244C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282676Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:58.151{F81F30E6-D97C-62DF-1500-000000006F02}12281712C:\Windows\System32\svchost.exe{F81F30E6-F5F2-62DF-B105-000000006F02}8132C:\Windows\system32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282675Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:58.151{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F5F2-62DF-B105-000000006F02}8132C:\Windows\system32\notepad.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282674Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:58.113{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F5F1-62DF-9F05-000000006F02}11228C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282673Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:58.113{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F5F1-62DF-A605-000000006F02}9608C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282672Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:58.113{F81F30E6-D97C-62DF-1500-000000006F02}12281712C:\Windows\System32\svchost.exe{F81F30E6-F5F2-62DF-B005-000000006F02}7336C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282671Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:58.113{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F5F2-62DF-B005-000000006F02}7336C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282670Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:58.098{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-F5F1-62DF-A905-000000006F02}9956C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282669Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:58.098{F81F30E6-F5F2-62DF-B005-000000006F02}733611148C:\Windows\system32\conhost.exe{F81F30E6-F5F2-62DF-AF05-000000006F02}8080C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282668Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:58.098{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282667Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:58.098{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282666Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:58.098{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282665Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:58.082{F81F30E6-D9BA-62DF-8100-000000006F02}38884516C:\Windows\system32\csrss.exe{F81F30E6-F5F2-62DF-B105-000000006F02}8132C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000282664Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:58.082{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282663Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:58.082{F81F30E6-F5F1-62DF-A005-000000006F02}924010428C:\Windows\system32\cmd.exe{F81F30E6-F5F2-62DF-B105-000000006F02}8132C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8564|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000282662Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:58.096{F81F30E6-F5F2-62DF-B105-000000006F02}8132C:\Windows\System32\notepad.exe10.0.14393.4169 (rs1_release.210107-1130)NotepadMicrosoft® Windows® Operating SystemMicrosoft CorporationNOTEPAD.EXEnotepad.exe C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=BA78FCF8CA9D806C6C047357E31748DE,SHA256=34A07759492E31AEC2A009505FE8DFB50242375C4308AD4657B2872F4F75A077,IMPHASH=968239BE2020F1C0DAFFDCDBD49E9C82{F81F30E6-F5F1-62DF-A005-000000006F02}9240C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" " 10341000x8000000000000000282661Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:58.082{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F5F2-62DF-B105-000000006F02}8132C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282660Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:58.067{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F5F1-62DF-A505-000000006F02}9528C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282659Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:58.067{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F5F1-62DF-A505-000000006F02}9528C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282658Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:58.067{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F5F1-62DF-A505-000000006F02}9528C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282657Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:58.067{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F5F1-62DF-A505-000000006F02}9528C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282656Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:58.067{F81F30E6-D9BA-62DF-8100-000000006F02}38884056C:\Windows\system32\csrss.exe{F81F30E6-F5F2-62DF-B005-000000006F02}7336C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000282655Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:58.051{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F5F2-62DF-B005-000000006F02}7336C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282654Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:58.051{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282653Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:58.051{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282652Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:58.051{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282651Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:58.051{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282650Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:58.051{F81F30E6-D9BA-62DF-8100-000000006F02}38884516C:\Windows\system32\csrss.exe{F81F30E6-F5F2-62DF-AF05-000000006F02}8080C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000282649Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:58.051{F81F30E6-F163-62DF-1F04-000000006F02}226410296C:\Temp\dcrat.exe{F81F30E6-F5F2-62DF-AF05-000000006F02}8080C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\System32\windows.storage.dll+16e7eb|C:\Windows\System32\windows.storage.dll+16e501|C:\Windows\System32\windows.storage.dll+16e14e|C:\Windows\System32\windows.storage.dll+16f3f0|C:\Windows\System32\windows.storage.dll+16de9e|C:\Windows\System32\windows.storage.dll+fce6d|C:\Windows\System32\windows.storage.dll+fd5ac|C:\Windows\System32\windows.storage.dll+fc910|C:\Windows\System32\shell32.dll+49cdf|C:\Windows\System32\shell32.dll+49b6c|C:\Windows\System32\shell32.dll+498bc|C:\Windows\System32\shell32.dll+10d2c7|C:\Windows\System32\shell32.dll+10d225|UNKNOWN(00007FF984B29B5F) 154100x8000000000000000282648Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:58.060{F81F30E6-F5F2-62DF-AF05-000000006F02}8080C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" "C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe"C:\Temp\dcrat.exe" 10341000x8000000000000000282647Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:58.051{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F5F1-62DF-A605-000000006F02}9608C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282646Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:58.051{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F5F2-62DF-AF05-000000006F02}8080C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000282645Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:58.051{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=541D6F4941AF3E6F1BA8422101A1CDE2,SHA256=0DC45AADC1BA7B9A3D6A1459B2296CF3E605B5E0A47558E01D07D3F7589D1296,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000282644Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:58.051{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F5F1-62DF-A805-000000006F02}9772C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282643Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:58.051{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F5F1-62DF-A805-000000006F02}9772C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282642Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:58.051{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F5F1-62DF-A805-000000006F02}9772C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282641Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:58.051{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F5F1-62DF-A805-000000006F02}9772C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282640Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:58.014{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F5F1-62DF-9F05-000000006F02}11228C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282639Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:58.014{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F5F1-62DF-9F05-000000006F02}11228C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282638Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:58.014{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F5F1-62DF-9F05-000000006F02}11228C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282637Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:58.014{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F5F1-62DF-9F05-000000006F02}11228C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282636Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:57.998{F81F30E6-D97C-62DF-1500-000000006F02}12281712C:\Windows\System32\svchost.exe{F81F30E6-F5F1-62DF-AE05-000000006F02}10328C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282635Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:57.998{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F5F1-62DF-AE05-000000006F02}10328C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000054840Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:10:59.254{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67E89639B19EF24CE09F7A02EB2C87A6,SHA256=21E7B5B3313F277CB26C8C9BA7ADBE1129E71C47FBD828042598B2F62DBC768B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000282917Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:59.681{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282916Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:59.681{F81F30E6-D9BD-62DF-9000-000000006F02}46887284C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282915Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:59.681{F81F30E6-D9BD-62DF-9000-000000006F02}46887284C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282914Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:59.681{F81F30E6-D9BD-62DF-9000-000000006F02}46887284C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282913Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:59.681{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282912Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:59.681{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282911Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:59.681{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282910Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:59.681{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000282909Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:57.255{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local65093-false10.0.1.12-8000- 23542300x8000000000000000282908Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:10:59.234{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50377A808D03AF3101E7E7A0776B08AF,SHA256=B656BE254908966E084B2056E7C65F35D631BF2A162A1FBFFCC1CC842699EE31,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054841Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:11:00.348{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4D2D5C230FABD1306AA31054B7C2425,SHA256=C7E5F2AC7BA9A118DA722A7BB6C9A521723727F71A88260FB352FAFA92C11F6D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000282918Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:00.280{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BFA9B2572BA2973A0E05C814C81E17B7,SHA256=BF6CB07F157B2342C55E68C0AD9E97C2A01F68CCE8C5FC1B8AD7DA0D7DE6A7C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054842Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:11:01.442{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9F0EE836C22A3F56E63AC8FBA57C1E7,SHA256=10D4CC62A17E558B2BFF8ED107642390A8BA7DCA399F013453E7C672905B3C20,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000282981Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:01.795{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BE73D2AE4EABB3F337484BF77F6F842,SHA256=06547C7CC47B7EF3E8163567CD6E1CD4B0C658CE16EB519DF2AFE1BC7BC5ABE4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000282980Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:01.579{F81F30E6-D9BD-62DF-9000-000000006F02}46887284C:\Windows\Explorer.EXE{F81F30E6-F5F5-62DF-BA05-000000006F02}10316C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282979Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:01.579{F81F30E6-D9BD-62DF-9000-000000006F02}46887284C:\Windows\Explorer.EXE{F81F30E6-F5F5-62DF-BA05-000000006F02}10316C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282978Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:01.579{F81F30E6-D9BD-62DF-9000-000000006F02}46887284C:\Windows\Explorer.EXE{F81F30E6-F5F5-62DF-BA05-000000006F02}10316C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282977Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:01.548{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F5F5-62DF-BA05-000000006F02}10316C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282976Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:01.548{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F5F5-62DF-BA05-000000006F02}10316C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282975Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:01.532{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-F5F5-62DF-BA05-000000006F02}10316C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282974Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:01.532{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F5F5-62DF-BA05-000000006F02}10316C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282973Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:01.532{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F5F5-62DF-BA05-000000006F02}10316C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282972Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:01.532{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F5F5-62DF-BA05-000000006F02}10316C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282971Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:01.531{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F5F5-62DF-BA05-000000006F02}10316C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282970Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:01.531{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F5F5-62DF-BA05-000000006F02}10316C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282969Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:01.531{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F5F5-62DF-BA05-000000006F02}10316C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282968Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:01.529{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F5F5-62DF-BA05-000000006F02}10316C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282967Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:01.528{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F5F5-62DF-BA05-000000006F02}10316C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282966Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:01.497{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-F5F5-62DF-BA05-000000006F02}10316C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282965Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:01.480{F81F30E6-D97C-62DF-1500-000000006F02}12281712C:\Windows\System32\svchost.exe{F81F30E6-F5F5-62DF-BA05-000000006F02}10316C:\Windows\system32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282964Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:01.480{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F5F5-62DF-BA05-000000006F02}10316C:\Windows\system32\notepad.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282963Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:01.448{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282962Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:01.448{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282961Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:01.448{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282960Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:01.448{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282959Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:01.448{F81F30E6-D9BA-62DF-8100-000000006F02}38882172C:\Windows\system32\csrss.exe{F81F30E6-F5F5-62DF-BA05-000000006F02}10316C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000282958Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:01.448{F81F30E6-F5F5-62DF-B805-000000006F02}971610860C:\Windows\system32\cmd.exe{F81F30E6-F5F5-62DF-BA05-000000006F02}10316C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8564|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000282957Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:01.458{F81F30E6-F5F5-62DF-BA05-000000006F02}10316C:\Windows\System32\notepad.exe10.0.14393.4169 (rs1_release.210107-1130)NotepadMicrosoft® Windows® Operating SystemMicrosoft CorporationNOTEPAD.EXEnotepad.exe C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=BA78FCF8CA9D806C6C047357E31748DE,SHA256=34A07759492E31AEC2A009505FE8DFB50242375C4308AD4657B2872F4F75A077,IMPHASH=968239BE2020F1C0DAFFDCDBD49E9C82{F81F30E6-F5F5-62DF-B805-000000006F02}9716C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" " 10341000x8000000000000000282956Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:01.448{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F5F5-62DF-BA05-000000006F02}10316C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282955Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:01.433{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282954Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:01.433{F81F30E6-D9BD-62DF-9000-000000006F02}46887284C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282953Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:01.433{F81F30E6-D9BD-62DF-9000-000000006F02}46887284C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282952Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:01.433{F81F30E6-D9BD-62DF-9000-000000006F02}46887284C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282951Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:01.433{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282950Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:01.433{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282949Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:01.433{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282948Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:01.433{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282947Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:01.433{F81F30E6-D9BD-62DF-9000-000000006F02}46887284C:\Windows\Explorer.EXE{F81F30E6-F5F5-62DF-B805-000000006F02}9716C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282946Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:01.433{F81F30E6-D9BD-62DF-9000-000000006F02}46887284C:\Windows\Explorer.EXE{F81F30E6-F5F5-62DF-B805-000000006F02}9716C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282945Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:01.433{F81F30E6-D9BD-62DF-9000-000000006F02}46887284C:\Windows\Explorer.EXE{F81F30E6-F5F5-62DF-B805-000000006F02}9716C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000282944Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:01.429{F81F30E6-D98A-62DF-2E00-000000006F02}2780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=D547B7DEC91B28160136B6794E80E506,SHA256=E15F7D497A98E401ABB49FE686B55924EB71FCE6D8F79BB53FB32A1AB13E32B6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000282943Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:01.427{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F5F5-62DF-B905-000000006F02}9280C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282942Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:01.410{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F5F5-62DF-B905-000000006F02}9280C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282941Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:01.410{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-F5F5-62DF-B805-000000006F02}9716C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282940Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:01.394{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F5F5-62DF-B805-000000006F02}9716C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282939Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:01.394{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F5F5-62DF-B805-000000006F02}9716C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282938Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:01.394{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F5F5-62DF-B805-000000006F02}9716C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282937Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:01.394{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F5F5-62DF-B805-000000006F02}9716C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282936Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:01.394{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F5F5-62DF-B905-000000006F02}9280C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282935Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:01.394{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F5F5-62DF-B905-000000006F02}9280C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282934Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:01.394{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F5F5-62DF-B905-000000006F02}9280C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282933Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:01.394{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F5F5-62DF-B905-000000006F02}9280C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282932Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:01.379{F81F30E6-D97C-62DF-1500-000000006F02}12281712C:\Windows\System32\svchost.exe{F81F30E6-F5F5-62DF-B905-000000006F02}9280C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282931Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:01.379{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F5F5-62DF-B905-000000006F02}9280C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282930Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:01.379{F81F30E6-F5F5-62DF-B905-000000006F02}928010276C:\Windows\system32\conhost.exe{F81F30E6-F5F5-62DF-B805-000000006F02}9716C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282929Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:01.363{F81F30E6-D9BA-62DF-8100-000000006F02}38884516C:\Windows\system32\csrss.exe{F81F30E6-F5F5-62DF-B905-000000006F02}9280C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000282928Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:01.363{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F5F5-62DF-B905-000000006F02}9280C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282927Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:01.363{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282926Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:01.363{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282925Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:01.363{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282924Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:01.363{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282923Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:01.363{F81F30E6-D9BA-62DF-8100-000000006F02}38882172C:\Windows\system32\csrss.exe{F81F30E6-F5F5-62DF-B805-000000006F02}9716C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000282922Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:01.363{F81F30E6-F163-62DF-1F04-000000006F02}22649224C:\Temp\dcrat.exe{F81F30E6-F5F5-62DF-B805-000000006F02}9716C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\System32\windows.storage.dll+16e7eb|C:\Windows\System32\windows.storage.dll+16e501|C:\Windows\System32\windows.storage.dll+16e14e|C:\Windows\System32\windows.storage.dll+16f3f0|C:\Windows\System32\windows.storage.dll+16de9e|C:\Windows\System32\windows.storage.dll+fce6d|C:\Windows\System32\windows.storage.dll+fd5ac|C:\Windows\System32\windows.storage.dll+fc910|C:\Windows\System32\shell32.dll+49cdf|C:\Windows\System32\shell32.dll+49b6c|C:\Windows\System32\shell32.dll+498bc|C:\Windows\System32\shell32.dll+10d2c7|C:\Windows\System32\shell32.dll+10d225|UNKNOWN(00007FF984B29B5F) 154100x8000000000000000282921Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:01.368{F81F30E6-F5F5-62DF-B805-000000006F02}9716C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" "C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe"C:\Temp\dcrat.exe" 10341000x8000000000000000282920Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:01.363{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F5F5-62DF-B805-000000006F02}9716C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000282919Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:01.310{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB6B9374677AE6B4AEB94B4BE22B0BF3,SHA256=DBC8A52D045AF6533A3193ABFC5BD4AA7E22ED4DE6D535C46B7B6B14871624CE,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000054844Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:11:01.309{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal51135-false10.0.1.12-8000- 23542300x800000000000000054843Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:11:02.535{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1A92D2E6314F4A32866345BCEA2C1A5,SHA256=348DFC94CA5C042DE5B8E4E14879173B39100831689306A20304824B3B53946F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000282990Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:02.762{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282989Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:02.762{F81F30E6-D9BD-62DF-9000-000000006F02}46887284C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282988Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:02.762{F81F30E6-D9BD-62DF-9000-000000006F02}46887284C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282987Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:02.762{F81F30E6-D9BD-62DF-9000-000000006F02}46887284C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282986Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:02.762{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282985Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:02.762{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282984Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:02.762{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282983Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:02.762{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000282982Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:02.348{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4EFEA9BC4FC29AA2B0495232230C0C19,SHA256=2C6CAE48ECCB0BD6FB3FA1B64958A1B0000F00CFA3C10FDDFE0ED4EDFEC07C57,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054845Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:11:03.629{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=335B2815960C4626AD2E5700F6C0FF40,SHA256=EA0FE2504783927AE78C2CFFCCBE1BBFC373D545A5CB4BBAD90D0873FACAC0AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000282992Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:03.861{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5875F9FD324DE86F4E280BA4DADDF15A,SHA256=525CFAB006EAB081DCFB44B328D833C177DE91C2C327637913529126DAEA5A90,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000282991Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:03.393{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48C773AA87DA96AB53A614D5AF048E7F,SHA256=F4168BCE841AC2750C44DCC53F433F7762C8AACCF0AA691601F62774EB96B18B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054846Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:11:04.723{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15080D14CF99DCCD700E35A9F013EB35,SHA256=CFAE798AF5C7A2D3EA0F1F8BFB38B2B4EC7AF9763304CA8981F1E2DE28A6EA32,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000282995Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:01.801{F81F30E6-D97A-62DF-0B00-000000006F02}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local65094-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local389ldap 354300x8000000000000000282994Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:01.801{F81F30E6-D98A-62DF-2600-000000006F02}2568C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local65094-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local389ldap 23542300x8000000000000000282993Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:04.426{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9AB3C443C601203CC03EDF43D7A5BA03,SHA256=B51AAE03DEA7B6EA499C6EDB55B041EA1B8D4E837049980442D5C6C5FC105066,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054847Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:11:05.817{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D2B50D72332A3A16F50CDDCCA2C21FB,SHA256=EA1C0C231FED8C2583916C18DFE94E5E8BC47DD6395A4957ED4F060084B6EDC5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000282997Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:03.148{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local65095-false10.0.1.12-8000- 23542300x8000000000000000282996Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:05.476{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19E3C3C3792AC1A45EAFFE7EBF54DE3E,SHA256=EAA6D22F9D491288A2CC1A936DB5478B730DB2FD816B59E1F7619F639F1B2662,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054848Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:11:06.910{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F88532B8AEB7537AC771D8A7E3656F1,SHA256=46E04F74636F7B37810127F3AA67E6017010DD3FDD9EF31EF993780C3B43C43F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000282998Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:06.506{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E70920486A1365BCD7B7601080BF2A0,SHA256=67E042532B63748E252D487D8430BE3E043C25E0690CF8CC8EFCA71D538F5457,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000282999Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:07.542{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E894578503D1FCE709B21A3A53B2A717,SHA256=5592316739F0B8B63F14567CCFB443811B0D83A4003EE00286255A03DFA56D8D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000283002Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:08.645{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1AC70C46580C54968EE5743BC024B436,SHA256=BF7D1F55E245266780D844C1B5974A65CBC2B13B3BFCBAB01E1469B5729EFF19,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054849Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:11:08.005{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38888541F2F13824EEA29B074E5197E3,SHA256=EC10367A8B11EDF80841E4BD9C668B7F52E6DC03670B3AEF5235497BE8970BCC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000283001Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:08.408{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283000Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:08.408{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000283003Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:09.775{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40233D793A6600FED9D4E77BDB87A9D8,SHA256=C39E7AAA79D71AECB481C13FD6B6F54C87D5CD62182B878049670A8EBEB1BEC6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054851Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:11:09.098{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=990302415986FDB73F0EF9FBAAFD901C,SHA256=0CC86576ECBB07BDCFCFA2DE34E364B55728CC6B0354CE66CAF204AA37F51536,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000054850Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:11:07.184{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal51136-false10.0.1.12-8000- 23542300x8000000000000000283004Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:10.823{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DABFE01A2FD1B258A67A6E816B14B716,SHA256=1BD64069193AA0EDF7D55D4B3CB73CE6132889F00BB7016C0E019D13E68BB1AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054852Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:11:10.192{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=554D7F59BA327F8B95AB8C14422B67F6,SHA256=2695C4A0268E31101BA3804016397CD7A13D2E3B4BCA9851363614F88138DA61,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000283006Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:11.989{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B15A9579B7AC59CFDCA8E51338A82AB7,SHA256=34A4314F8FD9B439C1FDE631596C24B367D3ACCA39A4B975BE284AB1FC32D17C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054853Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:11:11.285{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A925366915843C6BAED2526E205C8982,SHA256=9D15209EC729F04C7DA5689EB3E62D586A088BA9463D746B268378D2BB77946B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000283005Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:09.167{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local65096-false10.0.1.12-8000- 10341000x800000000000000054882Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:11:12.978{53069400-F600-62DF-CD03-000000007002}3564964C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054881Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:11:12.770{53069400-D97E-62DF-2900-000000007002}27802800C:\Windows\system32\conhost.exe{53069400-F600-62DF-CD03-000000007002}3564C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054880Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:11:12.770{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054879Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:11:12.770{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054878Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:11:12.770{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054877Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:11:12.770{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054876Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:11:12.770{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054875Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:11:12.770{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054874Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:11:12.770{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054873Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:11:12.770{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054872Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:11:12.770{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054871Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:11:12.770{53069400-D97C-62DF-0500-000000007002}4121248C:\Windows\system32\csrss.exe{53069400-F600-62DF-CD03-000000007002}3564C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000054870Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:11:12.770{53069400-D97D-62DF-1E00-000000007002}19402768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53069400-F600-62DF-CD03-000000007002}3564C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000054869Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:11:12.770{53069400-F600-62DF-CD03-000000007002}3564C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53069400-D97C-62DF-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000054868Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:11:12.379{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A038732A13B57CE0E2AE91BC70B375C,SHA256=0E5275102B27267FC5EE7BC1437481922152DB4EF98CAA496F61FE4871A5EDD5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000283008Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:12.057{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283007Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:12.057{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054867Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:11:12.301{53069400-F600-62DF-CC03-000000007002}29523024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054866Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:11:12.098{53069400-D97E-62DF-2900-000000007002}27802800C:\Windows\system32\conhost.exe{53069400-F600-62DF-CC03-000000007002}2952C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054865Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:11:12.098{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054864Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:11:12.098{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054863Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:11:12.098{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054862Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:11:12.098{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054861Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:11:12.098{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054860Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:11:12.098{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054859Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:11:12.098{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054858Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:11:12.098{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054857Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:11:12.098{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054856Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:11:12.098{53069400-D97C-62DF-0500-000000007002}412540C:\Windows\system32\csrss.exe{53069400-F600-62DF-CC03-000000007002}2952C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000054855Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:11:12.098{53069400-D97D-62DF-1E00-000000007002}19402768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53069400-F600-62DF-CC03-000000007002}2952C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000054854Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:11:12.099{53069400-F600-62DF-CC03-000000007002}2952C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53069400-D97C-62DF-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000054897Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:11:13.473{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0838927ABEBCCB6E186393D7EB1E0B9D,SHA256=D4D2CDAE6B59D5B97246B2A9C59F5C23D641E03C447C1028B710159A9B02973A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000054896Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:11:13.442{53069400-D97E-62DF-2900-000000007002}27802800C:\Windows\system32\conhost.exe{53069400-F601-62DF-CE03-000000007002}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054895Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:11:13.442{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054894Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:11:13.442{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054893Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:11:13.442{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054892Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:11:13.442{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054891Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:11:13.442{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054890Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:11:13.442{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054889Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:11:13.442{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054888Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:11:13.442{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054887Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:11:13.442{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054886Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:11:13.442{53069400-D97C-62DF-0500-000000007002}412540C:\Windows\system32\csrss.exe{53069400-F601-62DF-CE03-000000007002}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000054885Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:11:13.442{53069400-D97D-62DF-1E00-000000007002}19402768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53069400-F601-62DF-CE03-000000007002}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000054884Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:11:13.442{53069400-F601-62DF-CE03-000000007002}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53069400-D97C-62DF-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000283017Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:13.604{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283016Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:13.604{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283015Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:13.573{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283014Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:13.573{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283013Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:13.426{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283012Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:13.426{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283011Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:13.389{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283010Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:13.389{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000283009Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:13.142{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=441BE8B7D6D9042F1E972F417E85AB29,SHA256=71602D74DFA7A39E3D25385C28E38AA3A925B033739FCAA2F1F62D8866AB0C88,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054883Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:11:13.301{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DC7C29B4F5FFB86B9F313432E351D530,SHA256=3735471ED351DFBE085E5A843449DF3401D380F549DF30AC6B6753BD17656F10,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000054926Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:11:14.957{53069400-F602-62DF-D003-000000007002}23442356C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054925Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:11:14.770{53069400-D97E-62DF-2900-000000007002}27802800C:\Windows\system32\conhost.exe{53069400-F602-62DF-D003-000000007002}2344C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054924Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:11:14.770{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054923Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:11:14.770{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054922Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:11:14.770{53069400-D97C-62DF-0500-000000007002}412428C:\Windows\system32\csrss.exe{53069400-F602-62DF-D003-000000007002}2344C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000054921Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:11:14.770{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054920Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:11:14.770{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054919Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:11:14.770{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054918Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:11:14.770{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054917Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:11:14.770{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054916Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:11:14.770{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054915Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:11:14.770{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054914Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:11:14.770{53069400-D97D-62DF-1E00-000000007002}19402768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53069400-F602-62DF-D003-000000007002}2344C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000054913Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:11:14.774{53069400-F602-62DF-D003-000000007002}2344C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53069400-D97C-62DF-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000054912Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:11:14.770{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C3AB731DA300F087FA53B66BB0C398B,SHA256=0C0A6E8E6AEB30F27EE04A6B6A1E622449DBDCE7496E43078A2B0DF0AB0ED1AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000283018Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:14.272{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=469C5E9C3A956DDB774A1CF28FCFB904,SHA256=16F4AEFC4CB3F5002489426929595C4FC262D3F7873A752CE88D446312C0B99E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000054911Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:11:14.114{53069400-D97E-62DF-2900-000000007002}27802800C:\Windows\system32\conhost.exe{53069400-F602-62DF-CF03-000000007002}2152C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054910Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:11:14.114{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054909Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:11:14.114{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054908Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:11:14.114{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054907Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:11:14.114{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054906Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:11:14.114{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054905Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:11:14.114{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054904Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:11:14.114{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054903Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:11:14.114{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054902Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:11:14.114{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054901Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:11:14.114{53069400-D97C-62DF-0500-000000007002}412540C:\Windows\system32\csrss.exe{53069400-F602-62DF-CF03-000000007002}2152C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000054900Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:11:14.114{53069400-D97D-62DF-1E00-000000007002}19402768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53069400-F602-62DF-CF03-000000007002}2152C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000054899Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:11:14.114{53069400-F602-62DF-CF03-000000007002}2152C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53069400-D97C-62DF-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000054898Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:11:12.309{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal51137-false10.0.1.12-8000- 23542300x800000000000000054941Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:11:15.911{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D4BD7A970EDEDEF572EFCFF97253169,SHA256=C2198398A77F2BC39ED558B3E3DEA9374914F7E22DED5C23CBB7C771272FB2AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000283019Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:15.373{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C73A218F23213AB2D5157CC0E30FFBDC,SHA256=5389111F408D1F842A9203084834D6D559FD9DA217E3E9CB16F69A095181FABF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000054940Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:11:15.630{53069400-F603-62DF-D103-000000007002}18801120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054939Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:11:15.442{53069400-D97E-62DF-2900-000000007002}27802800C:\Windows\system32\conhost.exe{53069400-F603-62DF-D103-000000007002}1880C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054938Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:11:15.442{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054937Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:11:15.442{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054936Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:11:15.442{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054935Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:11:15.442{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054934Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:11:15.442{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054933Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:11:15.442{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054932Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:11:15.442{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054931Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:11:15.442{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054930Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:11:15.442{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054929Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:11:15.442{53069400-D97C-62DF-0500-000000007002}4121248C:\Windows\system32\csrss.exe{53069400-F603-62DF-D103-000000007002}1880C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000054928Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:11:15.442{53069400-D97D-62DF-1E00-000000007002}19402768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53069400-F603-62DF-D103-000000007002}1880C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000054927Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:11:15.442{53069400-F603-62DF-D103-000000007002}1880C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{53069400-D97C-62DF-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000283021Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:14.228{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local65097-false10.0.1.12-8000- 23542300x8000000000000000283020Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:16.404{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4901159D593EE3707305A14EE9844BE8,SHA256=B2D4854073A706E05EEF9A1AC90395992ACA26EFD4BEEB27B546777199AB509B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000054954Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:11:16.114{53069400-D97E-62DF-2900-000000007002}27802800C:\Windows\system32\conhost.exe{53069400-F604-62DF-D203-000000007002}3732C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054953Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:11:16.114{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054952Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:11:16.114{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054951Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:11:16.114{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054950Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:11:16.114{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054949Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:11:16.114{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054948Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:11:16.114{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054947Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:11:16.114{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054946Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:11:16.114{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054945Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:11:16.114{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054944Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:11:16.114{53069400-D97C-62DF-0500-000000007002}412540C:\Windows\system32\csrss.exe{53069400-F604-62DF-D203-000000007002}3732C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000054943Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:11:16.114{53069400-D97D-62DF-1E00-000000007002}19402768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53069400-F604-62DF-D203-000000007002}3732C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000054942Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:11:16.114{53069400-F604-62DF-D203-000000007002}3732C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53069400-D97C-62DF-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000283022Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:17.556{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F10EBC2D974A6AD296245E27CAE7CDDF,SHA256=85CE68AB1FF30C5AB81BDB65E0C16F385A89DBDAA15BB95B638F3AF68368C953,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054956Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:11:17.020{53069400-D97D-62DF-1E00-000000007002}1940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=AE6C885A48D031B192C98039DD05BCF6,SHA256=FCC967899AB6BC363A68EAFAF1D28E22E66F69E9208337166789D6D5518CD49F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054955Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:11:17.004{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8189899DCFBA24972E590CDC0D3CE04,SHA256=B34FAED6603D7DA95C9D38B8BA356F4CBC4A6B70673B0A4F396A85698286202A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000283023Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:18.601{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E91084E8AD8DDE281F1B6A0953883B4,SHA256=B7DDBA5BD00455DF03DCE51142CB561D5A8DB83DD06086701FA0C53202F97048,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054957Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:11:18.098{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02D3447A943872E9EEF23A286E2BC380,SHA256=04CFD4BAD02301BCFB937602B93963C1A0CB0FD41CFEBC38A6D51568A32576C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000283026Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:19.718{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5709BB5D4707087755A5E15591591205,SHA256=4B8D8E2D692873726264BFF32A76246616F7A1822583D349928DAE092E09876B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054958Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:11:19.192{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF5025B81ECCB113243DD450C7725F97,SHA256=7F897D22F7049AF9E1EFD9DD3E2AF3B2C373A77D9744C2FA7880F6CDDB5E9426,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000283025Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:19.238{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283024Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:19.238{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000283027Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:20.867{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3ABCBB1B11104466EF164A4DF5E17208,SHA256=A49E3EC5B6CE1B951544E56E52EE17C6CA25D87E8253C4BB81AF5405B69FF514,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054960Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:11:20.285{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A3CE9FD5109BBE9C733FEA7C0DC118B,SHA256=F37C40CFFCBD78D0C3024F11F3596EEBDD9DC3957A3B7A7DA8874D73D23591F8,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000054959Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:11:18.294{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal51138-false10.0.1.12-8000- 23542300x8000000000000000283028Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:21.914{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D477479412B9DB37F7BBB8454AD8761,SHA256=25F9938396DD370E931183B029FACA473E8BD2FBBAA2E95F5D161EA49455FA40,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054961Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:11:21.379{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E05F5B24E6880AC7553E341FF39997F,SHA256=E3971988A49A636E2DE4BE6FDEC161BFB6E3B7116D38099E5CB0565E49EE1C27,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000283031Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:22.965{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EFF15180136BCD24078FD5E24C1B6A0F,SHA256=21E74DB385A0B8A6377CBED131A275D43A3475B98E18852F36EA3143880173C4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000283030Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:22.949{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283029Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:22.949{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000054962Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:11:22.473{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11C9CDAD0BC3954B51F566F91D48CC5F,SHA256=7C0FC05147EDCB0F174AD6D8122AAFC70B2A04C66F0B1CA02B9C08AA7B8EF8B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054963Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:11:23.567{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CDA677665F3F47DF29C5E6B4428D2168,SHA256=A7DBA6F1C34DBCA73282DBC24C21343C81D68A6DA82A5462F4DD4865489E9B56,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000283032Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:20.260{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local65098-false10.0.1.12-8000- 23542300x800000000000000054964Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:11:24.660{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED97254E1F1274CC67BC8DB043E4B2AE,SHA256=ADD30E8C73D9EA34652FBF09C2EAF908E1DD50DDF91F0AD851AF014F2A80C53E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000283035Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:24.634{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283034Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:24.634{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000283033Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:24.065{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46333789E113D39961EC3C4B68AA1C6D,SHA256=8E42DC5C035F0F130A10A48B0A528E183D67FA3ABD7F4BE4FB779E6D70665140,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054965Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:11:25.754{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA3E25904155697452BD339FF38A1886,SHA256=AD421A87D607950880789DA0FAB8BFF736AF2BAFFEADF506FDC489DCC2A2A371,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000283036Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:25.196{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3BE3B46BAB62B0AB5A97AABBD28A3C50,SHA256=C9752EEBEDC03EF594EB9D979B76F9D44CB3EFF2D4F54912D0DD78158CF083DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054967Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:11:26.848{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=973A884303BF92B59A3305A84B16CA2A,SHA256=B484882113609EA9FD2CE405B1AFC3533D5891A3711A1C6A8EC7D81A608E6492,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000283093Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:26.695{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C798C2661109365B03F99922D5577657,SHA256=576F269A99C8BE6AA82A0B88A99D6EED8E73F8D5CF0DF6CDF79B1B51E651AE27,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000283092Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:26.548{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F60E-62DF-BD05-000000006F02}9828C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283091Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:26.548{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F60E-62DF-BD05-000000006F02}9828C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000054966Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:11:24.247{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal51139-false10.0.1.12-8000- 10341000x8000000000000000283090Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:26.548{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F60E-62DF-BD05-000000006F02}9828C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283089Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:26.548{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F60E-62DF-BD05-000000006F02}9828C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283088Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:26.548{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F60E-62DF-BD05-000000006F02}9828C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283087Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:26.532{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-F60E-62DF-BD05-000000006F02}9828C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283086Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:26.532{F81F30E6-D9BD-62DF-9000-000000006F02}46887284C:\Windows\Explorer.EXE{F81F30E6-F60E-62DF-BD05-000000006F02}9828C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283085Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:26.532{F81F30E6-D9BD-62DF-9000-000000006F02}46887284C:\Windows\Explorer.EXE{F81F30E6-F60E-62DF-BD05-000000006F02}9828C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283084Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:26.532{F81F30E6-D9BD-62DF-9000-000000006F02}46887284C:\Windows\Explorer.EXE{F81F30E6-F60E-62DF-BD05-000000006F02}9828C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283083Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:26.532{F81F30E6-D9BD-62DF-9000-000000006F02}46887284C:\Windows\Explorer.EXE{F81F30E6-F60E-62DF-BD05-000000006F02}9828C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283082Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:26.532{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F60E-62DF-BD05-000000006F02}9828C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283081Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:26.532{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F60E-62DF-BD05-000000006F02}9828C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283080Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:26.532{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F60E-62DF-BD05-000000006F02}9828C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283079Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:26.532{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F60E-62DF-BD05-000000006F02}9828C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283078Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:26.517{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-F60E-62DF-BD05-000000006F02}9828C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283077Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:26.495{F81F30E6-D97C-62DF-1500-000000006F02}12281712C:\Windows\System32\svchost.exe{F81F30E6-F60E-62DF-BD05-000000006F02}9828C:\Windows\system32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283076Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:26.495{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F60E-62DF-BD05-000000006F02}9828C:\Windows\system32\notepad.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283075Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:26.479{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283074Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:26.479{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283073Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:26.479{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283072Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:26.479{F81F30E6-D9BA-62DF-8100-000000006F02}38882172C:\Windows\system32\csrss.exe{F81F30E6-F60E-62DF-BD05-000000006F02}9828C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000283071Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:26.479{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283070Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:26.479{F81F30E6-F60E-62DF-BB05-000000006F02}1109210872C:\Windows\system32\cmd.exe{F81F30E6-F60E-62DF-BD05-000000006F02}9828C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8564|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000283069Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:26.481{F81F30E6-F60E-62DF-BD05-000000006F02}9828C:\Windows\System32\notepad.exe10.0.14393.4169 (rs1_release.210107-1130)NotepadMicrosoft® Windows® Operating SystemMicrosoft CorporationNOTEPAD.EXEnotepad.exe C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=BA78FCF8CA9D806C6C047357E31748DE,SHA256=34A07759492E31AEC2A009505FE8DFB50242375C4308AD4657B2872F4F75A077,IMPHASH=968239BE2020F1C0DAFFDCDBD49E9C82{F81F30E6-F60E-62DF-BB05-000000006F02}11092C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" " 10341000x8000000000000000283068Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:26.479{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F60E-62DF-BD05-000000006F02}9828C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283067Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:26.448{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F60E-62DF-BC05-000000006F02}11088C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283066Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:26.448{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F60E-62DF-BC05-000000006F02}11088C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283065Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:26.448{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283064Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:26.448{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283063Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:26.448{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283062Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:26.432{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283061Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:26.432{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283060Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:26.432{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283059Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:26.432{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283058Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:26.432{F81F30E6-D9BD-62DF-9000-000000006F02}46887284C:\Windows\Explorer.EXE{F81F30E6-F60E-62DF-BB05-000000006F02}11092C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283057Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:26.432{F81F30E6-D9BD-62DF-9000-000000006F02}46887284C:\Windows\Explorer.EXE{F81F30E6-F60E-62DF-BB05-000000006F02}11092C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283056Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:26.432{F81F30E6-D9BD-62DF-9000-000000006F02}46887284C:\Windows\Explorer.EXE{F81F30E6-F60E-62DF-BB05-000000006F02}11092C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283055Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:26.432{F81F30E6-D9BD-62DF-9000-000000006F02}46887284C:\Windows\Explorer.EXE{F81F30E6-F60E-62DF-BB05-000000006F02}11092C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283054Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:26.432{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F60E-62DF-BC05-000000006F02}11088C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283053Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:26.432{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F60E-62DF-BC05-000000006F02}11088C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283052Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:26.432{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F60E-62DF-BC05-000000006F02}11088C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283051Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:26.432{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F60E-62DF-BC05-000000006F02}11088C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283050Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:26.417{F81F30E6-D97C-62DF-1500-000000006F02}12281712C:\Windows\System32\svchost.exe{F81F30E6-F60E-62DF-BC05-000000006F02}11088C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283049Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:26.417{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F60E-62DF-BC05-000000006F02}11088C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283048Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:26.417{F81F30E6-F60E-62DF-BC05-000000006F02}110889476C:\Windows\system32\conhost.exe{F81F30E6-F60E-62DF-BB05-000000006F02}11092C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283047Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:26.395{F81F30E6-D9BA-62DF-8100-000000006F02}38884056C:\Windows\system32\csrss.exe{F81F30E6-F60E-62DF-BC05-000000006F02}11088C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000283046Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:26.395{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F60E-62DF-BC05-000000006F02}11088C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283045Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:26.395{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283044Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:26.395{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283043Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:26.395{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283042Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:26.395{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283041Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:26.395{F81F30E6-D9BA-62DF-8100-000000006F02}38882172C:\Windows\system32\csrss.exe{F81F30E6-F60E-62DF-BB05-000000006F02}11092C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000283040Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:26.395{F81F30E6-F163-62DF-1F04-000000006F02}226410764C:\Temp\dcrat.exe{F81F30E6-F60E-62DF-BB05-000000006F02}11092C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\System32\windows.storage.dll+16e7eb|C:\Windows\System32\windows.storage.dll+16e501|C:\Windows\System32\windows.storage.dll+16e14e|C:\Windows\System32\windows.storage.dll+16f3f0|C:\Windows\System32\windows.storage.dll+16de9e|C:\Windows\System32\windows.storage.dll+fce6d|C:\Windows\System32\windows.storage.dll+fd5ac|C:\Windows\System32\windows.storage.dll+fc910|C:\Windows\System32\shell32.dll+49cdf|C:\Windows\System32\shell32.dll+49b6c|C:\Windows\System32\shell32.dll+498bc|C:\Windows\System32\shell32.dll+10d2c7|C:\Windows\System32\shell32.dll+10d225|UNKNOWN(00007FF984B29B5F) 154100x8000000000000000283039Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:26.399{F81F30E6-F60E-62DF-BB05-000000006F02}11092C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" "C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe"C:\Temp\dcrat.exe" 10341000x8000000000000000283038Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:26.395{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F60E-62DF-BB05-000000006F02}11092C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000283037Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:26.212{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A684FFB2C60219B6DC2D0986AE0303C,SHA256=DE51A79D5344EE70A506D7166B28601EE34527C7CD256616FFD4B67CD8B63EF9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054968Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:11:27.942{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C8995BB17A81400F95D8764BD2DFC4B,SHA256=876D136A71886C130A47B3648378AD157FD4A49AED67B63A6528357610B4ABC2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000283102Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:27.847{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283101Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:27.847{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283100Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:27.847{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283099Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:27.847{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283098Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:27.847{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283097Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:27.847{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283096Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:27.847{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000283095Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:27.547{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EC79E52154E426C0C46C91DA3B155018,SHA256=044DB987C555E515A447FF8FC76FD5F83A55C0D7DC2E794DACC42C0B880BCF09,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000283094Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:27.263{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D46FE69C081A5DDDCD05F0D41B14758E,SHA256=1A0474868F51C0199CBEA9A4E21A9254F84F28C8D2012B9AEAED26118E9E86F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000283104Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:28.413{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B857E2355561E7F940DAD2DB27228B35,SHA256=F8A69A3A93188E5DE11CFD1EAB7D5AEC9622447462CFC09FF0CD552E8B7D4085,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000283103Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:27.847{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283107Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:29.816{F81F30E6-DAB4-62DF-BF00-000000006F02}24643744C:\Program Files\Mozilla Firefox\firefox.exe{F81F30E6-EEA4-62DF-BF03-000000006F02}6544C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+267f0|C:\Program Files\Mozilla Firefox\xul.dll+e65274|C:\Program Files\Mozilla Firefox\xul.dll+e65b59|C:\Program Files\Mozilla Firefox\xul.dll+e65e38|C:\Program Files\Mozilla Firefox\xul.dll+11f018b|C:\Program Files\Mozilla Firefox\xul.dll+e627c7|C:\Program Files\Mozilla Firefox\xul.dll+120a85d|C:\Program Files\Mozilla Firefox\xul.dll+ceede|C:\Program Files\Mozilla Firefox\xul.dll+c395d4|C:\Program Files\Mozilla Firefox\xul.dll+c3930b|C:\Program Files\Mozilla Firefox\xul.dll+1871229|C:\Program Files\Mozilla Firefox\xul.dll+183f230|C:\Program Files\Mozilla Firefox\xul.dll+1c23afe|C:\Program Files\Mozilla Firefox\xul.dll+1d7f4a3|C:\Program Files\Mozilla Firefox\xul.dll+183f6cf|C:\Program Files\Mozilla Firefox\xul.dll+1c23afe|C:\Program Files\Mozilla Firefox\xul.dll+1d7f4a3|C:\Program Files\Mozilla Firefox\xul.dll+183ce1d|C:\Program Files\Mozilla Firefox\xul.dll+1907bb7|C:\Program Files\Mozilla Firefox\xul.dll+1ae0b0f|C:\Program Files\Mozilla Firefox\xul.dll+1ad8cb3|C:\Program Files\Mozilla Firefox\xul.dll+18163f3 23542300x8000000000000000283106Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:29.547{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C944540453648FDF0331C952755A649A,SHA256=512F3D8305147C786C1FE134CD5758F1E223CC33EBD6F7BA661DC5ED62E4E44F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054969Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:11:29.035{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75A250CF7010E1D71721FBBADEF8E71D,SHA256=7D5E4055917601923A3B6372ADDE5015352AEE750DBD1D41D5EBC97511B033D2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000283105Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:26.034{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local65099-false10.0.1.12-8000- 23542300x8000000000000000283111Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:30.911{F81F30E6-D98A-62DF-2E00-000000006F02}2780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=E0C6394DFF579FC66009F4E6D4C3C11E,SHA256=23A1AF0498977C0B4D62C24FCA4162051F98A763FB9B1F50817A445875D6CABD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000283110Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:30.663{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F42F89911062DB5D33D04FDA02EACDF,SHA256=5B5523AFECA7DEE3BC2EEC0C0EC9D45D0F0B0CE487786D9F6014DF4E52C9BDBE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054970Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:11:30.129{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4DC4CA3130222B86378165A79BDD3E9B,SHA256=987C8A02CA1B4C3342238F6225296AD69ADCE1FCB9E3EEE934467DD305CBD9E0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000283109Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:30.116{F81F30E6-DAB4-62DF-BF00-000000006F02}24643744C:\Program Files\Mozilla Firefox\firefox.exe{F81F30E6-EEA4-62DF-BF03-000000006F02}6544C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+267f0|C:\Program Files\Mozilla Firefox\xul.dll+e65274|C:\Program Files\Mozilla Firefox\xul.dll+e65b59|C:\Program Files\Mozilla Firefox\xul.dll+e65e38|C:\Program Files\Mozilla Firefox\xul.dll+11f018b|C:\Program Files\Mozilla Firefox\xul.dll+e627c7|C:\Program Files\Mozilla Firefox\xul.dll+120a85d|C:\Program Files\Mozilla Firefox\xul.dll+ceede|C:\Program Files\Mozilla Firefox\xul.dll+c395d4|C:\Program Files\Mozilla Firefox\xul.dll+c3930b|C:\Program Files\Mozilla Firefox\xul.dll+1871229|C:\Program Files\Mozilla Firefox\xul.dll+183f230|C:\Program Files\Mozilla Firefox\xul.dll+1c23afe|C:\Program Files\Mozilla Firefox\xul.dll+1d7f4a3|C:\Program Files\Mozilla Firefox\xul.dll+183f6cf|C:\Program Files\Mozilla Firefox\xul.dll+1c23afe|C:\Program Files\Mozilla Firefox\xul.dll+1d7f4a3|C:\Program Files\Mozilla Firefox\xul.dll+183ce1d|C:\Program Files\Mozilla Firefox\xul.dll+1907bb7|C:\Program Files\Mozilla Firefox\xul.dll+1ae0b0f|C:\Program Files\Mozilla Firefox\xul.dll+1ad8cb3|C:\Program Files\Mozilla Firefox\xul.dll+18163f3 10341000x8000000000000000283108Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:30.116{F81F30E6-DAB4-62DF-BF00-000000006F02}24643744C:\Program Files\Mozilla Firefox\firefox.exe{F81F30E6-EEA4-62DF-BF03-000000006F02}6544C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+267f0|C:\Program Files\Mozilla Firefox\xul.dll+e65274|C:\Program Files\Mozilla Firefox\xul.dll+e65767|C:\Program Files\Mozilla Firefox\xul.dll+85d545|C:\Program Files\Mozilla Firefox\xul.dll+8514da|C:\Program Files\Mozilla Firefox\xul.dll+1a006b3|C:\Program Files\Mozilla Firefox\xul.dll+17686da|C:\Program Files\Mozilla Firefox\xul.dll+1a277f4|C:\Program Files\Mozilla Firefox\xul.dll+9d832f|C:\Program Files\Mozilla Firefox\xul.dll+1f89e|C:\Program Files\Mozilla Firefox\xul.dll+186308|C:\Program Files\Mozilla Firefox\xul.dll+1852af|C:\Program Files\Mozilla Firefox\xul.dll+4446001|C:\Program Files\Mozilla Firefox\xul.dll+44b10b2|C:\Program Files\Mozilla Firefox\xul.dll+44b1edc|C:\Program Files\Mozilla Firefox\xul.dll+1f2e2a3|C:\Program Files\Mozilla Firefox\firefox.exe+19b7e|C:\Program Files\Mozilla Firefox\firefox.exe+27a48|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000283121Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:31.815{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91D06EBDA5523A0937F69633850FCE75,SHA256=8F70C0BEB6367F6189045CAFBBB05656ABA24036094905B02F9B17F05B5E60E0,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000054972Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:11:30.185{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal51140-false10.0.1.12-8000- 23542300x800000000000000054971Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:11:31.223{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B96B714A1BD8B7DC3A7093B6A021E68,SHA256=D73024DFCD6CA9F15B3B4AFF23A009DA7CC49CD072D5AA150097D0A9511AA058,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000283120Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:31.562{F81F30E6-DAB4-62DF-BF00-000000006F02}24643744C:\Program Files\Mozilla Firefox\firefox.exe{F81F30E6-EEA4-62DF-BF03-000000006F02}6544C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+267f0|C:\Program Files\Mozilla Firefox\xul.dll+e65274|C:\Program Files\Mozilla Firefox\xul.dll+e65767|C:\Program Files\Mozilla Firefox\xul.dll+85d545|C:\Program Files\Mozilla Firefox\xul.dll+8514da|C:\Program Files\Mozilla Firefox\xul.dll+1a006b3|C:\Program Files\Mozilla Firefox\xul.dll+17686da|C:\Program Files\Mozilla Firefox\xul.dll+1a277f4|C:\Program Files\Mozilla Firefox\xul.dll+9d832f|C:\Program Files\Mozilla Firefox\xul.dll+1f89e|C:\Program Files\Mozilla Firefox\xul.dll+186308|C:\Program Files\Mozilla Firefox\xul.dll+1852af|C:\Program Files\Mozilla Firefox\xul.dll+4446001|C:\Program Files\Mozilla Firefox\xul.dll+44b10b2|C:\Program Files\Mozilla Firefox\xul.dll+44b1edc|C:\Program Files\Mozilla Firefox\xul.dll+1f2e2a3|C:\Program Files\Mozilla Firefox\firefox.exe+19b7e|C:\Program Files\Mozilla Firefox\firefox.exe+27a48|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283119Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:31.562{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-DA3F-62DF-B800-000000006F02}4908C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283118Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:31.562{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-DA3F-62DF-B800-000000006F02}4908C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283117Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:31.562{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-DA3F-62DF-B800-000000006F02}4908C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283116Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:31.562{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-DA3F-62DF-B800-000000006F02}4908C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283115Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:31.531{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DA3F-62DF-B800-000000006F02}4908C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283114Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:31.531{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DA3F-62DF-B800-000000006F02}4908C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283113Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:31.531{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DA3F-62DF-B800-000000006F02}4908C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283112Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:31.531{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DA3F-62DF-B800-000000006F02}4908C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000283139Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:32.860{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82A73803A755213F52614DA391D83697,SHA256=322D1D12DEC3907ACE8EE451B7B7AB09F64D22EF60EFA3E4809CB13E759F229A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054973Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:11:32.317{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2DABC865091F5E90CD24F1968E14B988,SHA256=D29B39911BA67A3C530D580C65984B67EB9F028453FF2E505E33A56E2A1DF844,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000283138Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:32.760{F81F30E6-D98B-62DF-3600-000000006F02}31323152C:\Windows\system32\conhost.exe{F81F30E6-F614-62DF-BF05-000000006F02}8428C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283137Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:32.760{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283136Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:32.760{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283135Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:32.760{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283134Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:32.760{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283133Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:32.760{F81F30E6-D97A-62DF-0500-000000006F02}412428C:\Windows\system32\csrss.exe{F81F30E6-F614-62DF-BF05-000000006F02}8428C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000283132Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:32.760{F81F30E6-D98A-62DF-2E00-000000006F02}27803956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F81F30E6-F614-62DF-BF05-000000006F02}8428C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000283131Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:32.761{F81F30E6-F614-62DF-BF05-000000006F02}8428C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F81F30E6-D97A-62DF-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000283130Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:32.330{F81F30E6-F614-62DF-BE05-000000006F02}56286696C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283129Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:32.093{F81F30E6-D98B-62DF-3600-000000006F02}31323152C:\Windows\system32\conhost.exe{F81F30E6-F614-62DF-BE05-000000006F02}5628C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283128Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:32.093{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283127Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:32.093{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283126Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:32.093{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283125Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:32.093{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283124Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:32.093{F81F30E6-D97A-62DF-0500-000000006F02}412428C:\Windows\system32\csrss.exe{F81F30E6-F614-62DF-BE05-000000006F02}5628C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000283123Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:32.093{F81F30E6-D98A-62DF-2E00-000000006F02}27803956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F81F30E6-F614-62DF-BE05-000000006F02}5628C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000283122Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:32.093{F81F30E6-F614-62DF-BE05-000000006F02}5628C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{F81F30E6-D97A-62DF-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000054974Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:11:33.410{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA313A7892CB20BF706EA0F2AE8204AF,SHA256=4C26C443D27268F93ED13D6742660F54D42ADAFDD96BA2556EE511D2529C40D4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000283148Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:33.428{F81F30E6-D98B-62DF-3600-000000006F02}31323152C:\Windows\system32\conhost.exe{F81F30E6-F615-62DF-C005-000000006F02}10340C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283147Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:33.428{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283146Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:33.428{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283145Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:33.428{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283144Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:33.428{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283143Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:33.428{F81F30E6-D97A-62DF-0500-000000006F02}41292C:\Windows\system32\csrss.exe{F81F30E6-F615-62DF-C005-000000006F02}10340C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000283142Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:33.428{F81F30E6-D98A-62DF-2E00-000000006F02}27803956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F81F30E6-F615-62DF-C005-000000006F02}10340C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000283141Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:33.429{F81F30E6-F615-62DF-C005-000000006F02}10340C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F81F30E6-D97A-62DF-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000283140Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:33.144{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=851AD7EC11388E2E5EB44DA5F2FB3A1A,SHA256=A68432AA41AFE953C246ED1F65705453E4035D20CC9A55B2BF4B20CC87E28AFC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054976Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:11:34.504{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C391E2E49B6A1CC0F30D102B43A05D5,SHA256=3CCA078EFC303DEE9F35D5950071965256A9C610E7962285E763AED396D0E967,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000283168Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:34.877{F81F30E6-D97C-62DF-1000-000000006F02}448NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=E282772D23F9F7FE15F96F217427B339,SHA256=52CE53BD0071BBDB9C4DBB8640AAF82E1BB37167332FE33B450FD94675F0F47A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000283167Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:34.793{F81F30E6-F616-62DF-C205-000000006F02}100808072C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283166Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:34.578{F81F30E6-D98B-62DF-3600-000000006F02}31323152C:\Windows\system32\conhost.exe{F81F30E6-F616-62DF-C205-000000006F02}10080C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283165Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:34.578{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283164Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:34.578{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283163Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:34.578{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283162Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:34.578{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283161Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:34.578{F81F30E6-D97A-62DF-0500-000000006F02}412428C:\Windows\system32\csrss.exe{F81F30E6-F616-62DF-C205-000000006F02}10080C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000283160Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:34.578{F81F30E6-D98A-62DF-2E00-000000006F02}27803956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F81F30E6-F616-62DF-C205-000000006F02}10080C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000283159Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:34.579{F81F30E6-F616-62DF-C205-000000006F02}10080C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F81F30E6-D97A-62DF-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000283158Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:34.391{F81F30E6-F616-62DF-C105-000000006F02}100765432C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283157Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:34.091{F81F30E6-D98B-62DF-3600-000000006F02}31323152C:\Windows\system32\conhost.exe{F81F30E6-F616-62DF-C105-000000006F02}10076C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283156Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:34.091{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283155Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:34.091{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283154Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:34.091{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283153Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:34.091{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283152Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:34.091{F81F30E6-D97A-62DF-0500-000000006F02}41292C:\Windows\system32\csrss.exe{F81F30E6-F616-62DF-C105-000000006F02}10076C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000283151Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:34.091{F81F30E6-D98A-62DF-2E00-000000006F02}27803956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F81F30E6-F616-62DF-C105-000000006F02}10076C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000283150Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:34.092{F81F30E6-F616-62DF-C105-000000006F02}10076C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F81F30E6-D97A-62DF-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000283149Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:34.011{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BAFA6DDA08AE75174C9F7E35BA57FC7E,SHA256=9A7C31F57654DEE41F425144CFC907C50BE74D484AA7B081518F074B846D0C0F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054975Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:11:34.114{53069400-D97D-62DF-1100-000000007002}980NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=B9C7A91D9E6FA44D532FBDD9650F4C81,SHA256=7FDB28DFEE0FE3F7D3AD2FB3B826185849AA3DFBBCBC4B76ED4FC2652BBF0303,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054977Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:11:35.598{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87179993FAE8793471388DB3728371F8,SHA256=ADC62793581D0146421E399A41B11073DB7A6AEDC156CBF11B606ECFF12DB06F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000283187Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:35.930{F81F30E6-D98B-62DF-3600-000000006F02}31323152C:\Windows\system32\conhost.exe{F81F30E6-F617-62DF-C405-000000006F02}10344C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283186Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:35.930{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283185Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:35.930{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283184Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:35.930{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283183Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:35.930{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283182Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:35.930{F81F30E6-D97A-62DF-0500-000000006F02}41292C:\Windows\system32\csrss.exe{F81F30E6-F617-62DF-C405-000000006F02}10344C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000283181Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:35.930{F81F30E6-D98A-62DF-2E00-000000006F02}27803956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F81F30E6-F617-62DF-C405-000000006F02}10344C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000283180Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:35.930{F81F30E6-F617-62DF-C405-000000006F02}10344C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F81F30E6-D97A-62DF-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000283179Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:35.462{F81F30E6-F617-62DF-C305-000000006F02}1046810856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000283178Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:31.257{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local65100-false10.0.1.12-8000- 10341000x8000000000000000283177Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:35.261{F81F30E6-D98B-62DF-3600-000000006F02}31323152C:\Windows\system32\conhost.exe{F81F30E6-F617-62DF-C305-000000006F02}10468C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283176Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:35.261{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283175Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:35.261{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283174Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:35.261{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283173Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:35.261{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283172Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:35.261{F81F30E6-D97A-62DF-0500-000000006F02}412428C:\Windows\system32\csrss.exe{F81F30E6-F617-62DF-C305-000000006F02}10468C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000283171Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:35.261{F81F30E6-D98A-62DF-2E00-000000006F02}27803956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F81F30E6-F617-62DF-C305-000000006F02}10468C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000283170Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:35.262{F81F30E6-F617-62DF-C305-000000006F02}10468C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F81F30E6-D97A-62DF-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000283169Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:35.146{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB4E269AB6930CDEC2D667D5A6A69CC6,SHA256=89F3B1765097E0D5255FC44B367735D6D1C49085B70BD61ACAE1A26F338842E4,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000054983Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:11:35.216{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal51141-false10.0.1.12-8000- 23542300x800000000000000054982Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:11:36.693{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08D3088DF3FEBF2917F5981676A8D1ED,SHA256=F8AC365262CDE5917881BE96FD65F313DF21C9A06FF5BEA9230C41DC4953F18C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000283198Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:36.746{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30E333501BFA889865FB79EE8E1B0ED9,SHA256=D8231797968AC4556A34D388A1733DE61BA748B2508961FB52063180ED10DC03,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054981Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:11:36.383{53069400-D97D-62DF-1C00-000000007002}1896NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0923b0b66bc46ec04\channels\health\respondent-20220726120936-118MD5=F10909D358012860607A88999540BE61,SHA256=618099B8C52552D13629F748BAC7127C20F9D45615160D64360388A771E36D7B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000054980Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:11:36.271{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1300-000000007002}760C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054979Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:11:36.271{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1300-000000007002}760C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054978Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:11:36.271{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1300-000000007002}760C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283197Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:36.109{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283196Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:36.092{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283195Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:36.092{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283194Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:36.092{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283193Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:36.092{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283192Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:36.092{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283191Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:36.092{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283190Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:36.092{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283189Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:36.013{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283188Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:36.013{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000283199Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:37.809{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4C3647B149BDD4D1FCE83221D5035CC,SHA256=D0D29A28C5E2A63A2DB98D38E2FDAF78A5DBE1531A9FC09221DB90BA94A58BBA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054985Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:11:37.785{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=992689D71C464B4113C27142C16F552D,SHA256=9FC0CDBC9C7E07DD01187CEBA0D50EBDD54BE57A9C383B2651EEFCB2B55F1FE7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054984Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:11:37.396{53069400-D97D-62DF-1C00-000000007002}1896NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0923b0b66bc46ec04\channels\health\surveyor-20220726120934-119MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000283200Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:38.844{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4DDB5CF6B449899FECDA1359449A4FDB,SHA256=FD8B5C5ABC32C288EBAC416B1E736AB85844BD179DC34F2334D2C70F746D0708,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054986Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:11:38.880{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94300554E664E11F53D9517F27A5B46A,SHA256=BB6C7453CAB11A19586E0FF191491D2934147DC9EE4EE1C04F1670537DEA2434,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000283201Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:39.975{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79BA3CADFC543452B90E50A4B5E607FD,SHA256=90CF8D1E1720C7A3F61E69ACD5EFE5FD34641279FEEDD7BECC82DCE1EA7953E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054987Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:11:39.974{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F69E0BA9237664C659E5EB77BF26034C,SHA256=04AB3A81D3DA6209EC05456D7906D8A0CDB23B3C9CDDC413B88C2F4DBFD2AAFF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000283202Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:37.253{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local65101-false10.0.1.12-8000- 354300x800000000000000054989Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:11:40.170{53069400-D97D-62DF-1100-000000007002}980C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruetruefe80:0:0:0:61a7:22c3:cb75:157fwin-host-ctus-attack-range-459.us-east-2.compute.internal546dhcpv6-clienttrueff02:0:0:0:0:0:1:2-547dhcpv6-server 23542300x800000000000000054988Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:11:41.067{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50EF96234844332A1E33CE6D531D78A1,SHA256=79D77CED09B74D66836DB37EA7C4B393E53FEFDFED47A5718DE5D62CE1352172,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000283203Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:41.108{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=653A846CD4B148DF60265FA3CC2655A2,SHA256=F434F5BEF0C8175EB3B8706D3DBF37DAFAA0D34187624379CBCBBFB8D3B38980,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000054991Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:11:41.232{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal51142-false10.0.1.12-8000- 23542300x800000000000000054990Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:11:42.161{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01E0802E303444FFDC85C9DF525B2A0C,SHA256=F00F380065DE3B17F1E57A0B528550FEF40C31189FC3A2A8BCFB774E4536D00D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000283204Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:42.157{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8EA23657369078D7458C2794C3F2133,SHA256=D64F11AD82C1815320F32670D808CC0A7FABFB751DD85B70DB84D0F35659BF6C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054992Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:11:43.255{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D385FBBC25D17E3FF66D1ACF66A3B369,SHA256=BF1804775E02480145278E41F43921013B5D38AADA8F4C47B068C5BAE8D40B2D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000283206Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:39.900{F81F30E6-D97C-62DF-1000-000000006F02}448C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruetruefe80:0:0:0:513a:aaff:ea8e:f17win-dc-ctus-attack-range-502.attackrange.local546dhcpv6-clienttrueff02:0:0:0:0:0:1:2-547dhcpv6-server 23542300x8000000000000000283205Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:43.289{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2092C0EF348AAB02B56BFC24C329EA68,SHA256=66CAEE003A8D204F07591549D460B9654CA4C7E679D88E0D0D8B6713A04FFB40,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054993Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:11:44.349{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6624DC21D49256370E825466A08E5080,SHA256=347C295AB7573950B4CB73ED513BEC55BB6D0350556DA7ABB6321C2B44627C42,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000283207Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:44.424{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=349A4FF743A9A81F02C9333FA6B32D8D,SHA256=72D3A2CF1A037D49E55C97ADB02EF2FB98091FE2165A2BEE4BD612ABE1234322,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054994Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:11:45.442{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53F898665E4C10082B2ABEBD677948A5,SHA256=0B03BA9C1C2790F006FCAB6760D5B3651F2166A276DD58642A4AC374E37F54D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000283208Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:45.456{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8D5631B6DFA1ED124E52ED93A04610F,SHA256=FB3D0DBFD2FD318AF941367C70DFCAFD5D880B2F4AAF810DDFD65717607039D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054996Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:11:46.536{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=356C81DD599324F1D860530E2266F881,SHA256=52FAE9F7EBD5B26B893AA6335DD751AFA423DD1DFF5028C95D8B83805E0D9EE6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000283211Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:46.487{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1999F7C4C7C8976275ECB1466C1491E,SHA256=3EAA50BA3C2AFB7D16D13E26DB1EE93AAD4B21E38C16C9D4D959F1F97648453D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054995Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:11:46.224{53069400-D97D-62DF-1E00-000000007002}1940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=179B82772CA5CC0B7A1E30B10EC3DA68,SHA256=BB39CA45713EEF29F8964A50A9025571F90083A2F6169622A7CAAB4EAC5409CB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000283210Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:46.108{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283209Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:46.107{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000054998Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:11:47.630{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6333902DF1F7B64EC6F0425CB318A769,SHA256=7CDCA12F3FD6AA0AE08C7ED657A70380B9F237E30D474EA9879EBA4DC46EDB7C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000283213Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:47.639{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91EB2E904C9808BCDB9B5C53EA0C6FE5,SHA256=DB83D4590BCF12B7B8FEB280A6B5A510A9FD13ECC4A2A6EF252624EE9D696D1F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054997Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:11:47.255{53069400-D97D-62DF-1E00-000000007002}1940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=64766FB2C4EC2A4EBA14D655316A217F,SHA256=1F862BA18F697FBE5B54E97795CB01BB1FE7C4FDD71FE9BD34DF578DBE2122BA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000283212Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:43.248{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local65102-false10.0.1.12-8000- 23542300x800000000000000055001Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:11:48.724{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C159838AE5E2A10C4F3A4327132838C4,SHA256=ABFD9E7B88266C5570D8867A755D6598610AD65BE8272F173B6EDEAF9E12DAB9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000283215Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:48.684{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB435EE348F921CA47BA361FE0572097,SHA256=E61011A4FAE86D19B26868CEA3DA1BD74F95D5F984D5FAF8E8B5594CFD94F401,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000055000Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:11:46.279{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal51144-false10.0.1.12-8089- 354300x800000000000000054999Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:11:46.233{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal51143-false10.0.1.12-8000- 23542300x8000000000000000283214Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:48.202{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=101C6852F3BC162C543D6DE972D8CDB9,SHA256=1ABF6DD107FC3C5ACAF1C4795ACC4312A315944CE51BF0F598F0AC458498C831,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055002Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:11:49.817{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9A20E25E10773499C33B972BE45B09C,SHA256=CE359D5B7A1B92BD1A802A345FDC812F8AD9FBF64CB430C16B13EE56AA431236,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000283219Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:49.821{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=811EC53BD272C1BD8CEAA1D78D01AEC3,SHA256=9B3800F5758BA996E54ED686A9E8E8D3DB6EFD02277BFAC012BBCEFB8F42CE74,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000283218Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:49.203{F81F30E6-D98A-62DF-2E00-000000006F02}2780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=375770933B088FA1013E9C17F7ACFA9C,SHA256=12DC730ED0C3CEF15E2072F184E79ED116E6C7FEA32581084F03B1ADA228E22B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000283217Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:49.168{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283216Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:49.168{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000283226Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:50.846{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60711FFFFF906DCB5CC42C478855C42C,SHA256=773DEE36322113F8A36EA7AE1F2ED3F9CC4E1E713B7D7F1D54A0173306C4C866,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055003Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:11:50.911{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F02E3A310995218796827A32ED493D3C,SHA256=C0FBDC956DE9DB19AF8398F97E707E82ED292E3E370C77052EA34019559A27F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000283225Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:50.802{F81F30E6-D98A-62DF-2900-000000006F02}2592NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f0cc84e036a5373b\channels\health\respondent-20220726120948-118MD5=369DD308E953FB115558C25A87FA7436,SHA256=F8D888C61BEF90997E9DA9024DED7AC04FA2757575784335A529296D09245F18,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000283224Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:48.262{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local65104-false10.0.1.12-8000- 354300x8000000000000000283223Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:48.209{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local65103-false10.0.1.12-8089- 10341000x8000000000000000283222Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:50.336{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D97C-62DF-1400-000000006F02}1124C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283221Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:50.336{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D97C-62DF-1400-000000006F02}1124C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283220Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:50.336{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D97C-62DF-1400-000000006F02}1124C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000283228Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:51.880{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8BC9013CE14FA0805C330A622E7EF80A,SHA256=3CCB27AAB19DB93405990AFB08AB6563F3C6695F32CFA0CD9FA4909B8EEFB850,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000283227Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:51.820{F81F30E6-D98A-62DF-2900-000000006F02}2592NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f0cc84e036a5373b\channels\health\surveyor-20220726120946-119MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000283229Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:52.899{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F59D4B148B9AB0A05C395F8860EDD8B6,SHA256=31661C06DCFF5638C80C677139E923B6DCA2B563EDECF819901A1287DA9597B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055004Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:11:52.005{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6EA862A12BCD137BE0AD26848F3FDFE,SHA256=D7D0C8B9F7B2700BA3F5C8C2687268D14C236CB7967D554E1A85982F6AC280FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000283230Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:53.934{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1671BA0FE26FB67DF46EE209C610481,SHA256=8BCBF4BCA5BD92866EA4447D44B818F789402B3ABB9C8DCFF74DB2FD3E114D08,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000055006Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:11:51.263{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal51145-false10.0.1.12-8000- 23542300x800000000000000055005Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:11:53.099{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1FF5B9AC9A25B575B8E5668FAEE6CD3,SHA256=43486C2EDB2455CEC4FE122436239E67AF6C6A432912CF9B4DE808C1B9FEBEC7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000283231Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:54.980{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FEE4372BBC22584500E733439A82188B,SHA256=CDEA2BEA421A8A26EF1C6246D1E2EF5B8793A90742E4D219E8079278B48A988F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055007Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:11:54.192{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF16400E2A15375CAFEC2252CF853C8D,SHA256=004AB2692F9FBB9F3FC3A5848EAC710784FB0D8DAF43FEA10B256C773B12C0A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055008Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:11:55.286{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00BECC5A01071EA4FE13562D88400229,SHA256=8E98FC3F845D4E8195DBADF5ABC0B29D8E17E16F2A224F0FE85CADE66F825840,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055009Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:11:56.380{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1AE506351C96BB331D9EB3F15F1C5753,SHA256=FF1667EFFFC8539551BBF4D18CAE8C46B2882F76474575DE0D470FF4A1F592B3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000283245Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:54.105{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local65105-false10.0.1.12-8000- 10341000x8000000000000000283244Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:56.480{F81F30E6-D9BD-62DF-9000-000000006F02}46884812C:\Windows\Explorer.EXE{F81F30E6-DAB4-62DF-BF00-000000006F02}2464C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+cf100|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9824|UNKNOWN(FFFFF80163E5BCD8)|UNKNOWN(FFFFF2A666167E08)|UNKNOWN(FFFFF2A666167F87)|UNKNOWN(FFFFF2A666162611)|UNKNOWN(FFFFF2A666163FDA)|UNKNOWN(FFFFF2A666162296)|UNKNOWN(FFFFF80163B71503)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+d296b|C:\Windows\System32\SHELL32.dll+11971a|C:\Windows\System32\SHCORE.dll+33fbd 10341000x8000000000000000283243Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:56.480{F81F30E6-D9BD-62DF-9000-000000006F02}46884812C:\Windows\Explorer.EXE{F81F30E6-DAB4-62DF-BF00-000000006F02}2464C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0f5|C:\Windows\System32\SHELL32.dll+cebe1|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9824|UNKNOWN(FFFFF80163E5BCD8)|UNKNOWN(FFFFF2A666167E08)|UNKNOWN(FFFFF2A666167F87)|UNKNOWN(FFFFF2A666162611)|UNKNOWN(FFFFF2A666163FDA)|UNKNOWN(FFFFF2A666162296)|UNKNOWN(FFFFF80163B71503)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+d296b|C:\Windows\System32\SHELL32.dll+11971a|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000283242Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:56.480{F81F30E6-DAB4-62DF-BF00-000000006F02}2464ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RF701ffa.TMPMD5=916C2D93B58C5CBAC8AC3098A059BFC5,SHA256=55953AB8F4BC753693EBC3ACF5A7C00D704055829032829763C3617710DD9C9E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000283241Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:56.465{F81F30E6-DAB4-62DF-BF00-000000006F02}2464ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\e57grxtg.default-release\datareporting\aborted-session-pingMD5=E724C7B0827C4838F4FECBBD81208B90,SHA256=99B4F8F2CA473A62CE8EF53E1BF39920819D2CBB595DB795B9B14227DE69E804,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000283240Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:56.433{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-DA3F-62DF-B800-000000006F02}4908C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283239Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:56.433{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-DA3F-62DF-B800-000000006F02}4908C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283238Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:56.433{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-DA3F-62DF-B800-000000006F02}4908C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283237Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:56.433{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-DA3F-62DF-B800-000000006F02}4908C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283236Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:56.433{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DA3F-62DF-B800-000000006F02}4908C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283235Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:56.433{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DA3F-62DF-B800-000000006F02}4908C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283234Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:56.433{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DA3F-62DF-B800-000000006F02}4908C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283233Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:56.433{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DA3F-62DF-B800-000000006F02}4908C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000283232Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:56.133{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4113E5492D9A3B1080723AB14139621F,SHA256=572B2EF1EE12CAC4B1A62FA6FC6E223E7EF7D113421C890A3C52AE7C2D3ABB3C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055010Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:11:57.474{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66D7AFEBBA2D0BAFC5676D97808C98A9,SHA256=DF41AD99971AADE0174C0D4A6AE84B3B3733DB4EA87AA94E8EA4A21E97812141,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000283246Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:57.149{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C34F9739A18F61D9A2CFCC91CAF49B50,SHA256=A804301B2EDA9BEDD17751BEE3618F535C91C4108F927C8B80277765A3ACE132,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055012Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:11:58.567{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10F4C5FA30C25C2B43F2607590767D22,SHA256=031A4D180D3CA289F30C49AEA3CEFA8AFD53445BD20F99CBBBDB90525F280AC3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000283257Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:58.532{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283256Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:58.517{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283255Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:58.517{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283254Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:58.517{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283253Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:58.517{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283252Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:58.517{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283251Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:58.517{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283250Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:58.517{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000283249Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:58.297{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D72FB5DEF954D6A360614671094CBA5,SHA256=BA7E99DC4191CA1969AAA58DC4FC36C805BA57CAE20C3E2444AA65F5BFBF8D4D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000283248Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:58.264{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283247Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:58.264{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000055011Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:11:57.169{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal51146-false10.0.1.12-8000- 23542300x800000000000000055013Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:11:59.661{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA24482FBCC983F8A9F1D3153D906380,SHA256=E00E5724EC56986D35186FEE39D6A790D39291253945AF747468F9F4CEFD1881,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000283258Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:11:59.379{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93FB6FB3476DC5006582039D878AC641,SHA256=451DFA764894A9EC08DDA520C48D145080711AB15D7A8768BFC00BA58C69FC0E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055014Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:12:00.755{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D85006548B29A4E0A50703F7061F745D,SHA256=82DA2717ED2417E5BE1E3B4948D106FC77949C698F793FC78A24EA26DCD71B75,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000283259Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:00.471{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52D23F1A803412E718447A46E8E5ADAF,SHA256=3C103313DB195208D61E1E887D730D8090E212BD627356E9C7C2776580375598,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055015Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:12:01.849{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F60E5C02FB11AA6795CDF9E592BEC634,SHA256=E13CB1E381B1C18CC9FDCD62E34C2129D72C7C6EC92E75540D833A6F14274F72,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000283261Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:01.488{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=326193075BCE6C6E48FE8DAD073CD1DB,SHA256=7158062BD802B0A24605A2B2B1958DDF2966654294AA07FC9C10BCA9796F31C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000283260Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:01.172{F81F30E6-D98A-62DF-2E00-000000006F02}2780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=68A4AC1BAF63AD8E300F7B26408F0A5F,SHA256=449E9977405D58D4218D7D5919F840DB8E3865D4A67D4A9CA0109571F5D79EF5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055016Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:12:02.942{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E5CCB1925B66AE3F391F0189EBE2FF7,SHA256=6B866AE9297CFB3CAFFD93F10D96C5458228C84F913FA85177FB23083C9FFB82,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000283263Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:00.129{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local65106-false10.0.1.12-8000- 23542300x8000000000000000283262Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:02.506{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6B93339C94FFA047A6C190AA27AFA7D,SHA256=8078515547B1D1450A38E4BC648660E4655EA78537CE5C61EF93B12C177C8848,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000283267Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:03.908{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FF6ED116D99EE6412DAF762601E70C13,SHA256=AB7E9EC94FC951E820DF492934B3428406BF1209903F7344594040C6F20EB68C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000283266Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:03.773{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283265Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:03.773{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000283264Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:03.641{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6474ED2A192181AE388485D70DCFEC00,SHA256=46C039502603D3CA2810471FD3F4466BFA6B52FCDCE40848A3815CF0EE77987D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000283270Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:01.814{F81F30E6-D97A-62DF-0B00-000000006F02}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local65107-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local389ldap 354300x8000000000000000283269Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:01.814{F81F30E6-D98A-62DF-2600-000000006F02}2568C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local65107-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local389ldap 23542300x8000000000000000283268Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:04.805{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89954459B3BBBC6EBC10D5BA0A231291,SHA256=D9BBFD07AD979683C8676616207FB4CEB3B3031F0E46635A3D7199ABCDE37F87,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000055018Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:12:03.169{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal51147-false10.0.1.12-8000- 23542300x800000000000000055017Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:12:04.038{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B884701A5D3B765BCFCABA667D1549AC,SHA256=E0F4DBF34464329E3A0088FB49E820E43EAE01495471C824F14C823609537274,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000283271Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:05.842{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29C8CAAD6D0CAE771BC337E5D44F963F,SHA256=1740D1F0976AB531411223E53672657D61452930EE586AB9778B38C615B3A19F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055019Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:12:05.130{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2491061C1E801FDCEB20B71C04B5C33F,SHA256=968F40446214EA61344391C5E098F099FF38AD6D8A5AF9099FF68AE6A38325D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000283274Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:06.957{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=823CD1B4CC6CFC9186F516BC01B46FE7,SHA256=D3F29BF8F8C33765753DC22E957C0E1C27419C3BC4CB6F5B85F97EEDEEE7E21B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055020Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:12:06.224{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F84A431AB0D23B950C6D1AAA7043C832,SHA256=648F5DFFEC7009B0EDD837AF54B32A1392886672D808F0912F5EF9C4C9E1A8D9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000283273Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:06.326{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283272Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:06.326{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000283276Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:07.975{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FDEB57D48C8DFD7C360F77E54BEF2643,SHA256=536B79A50FBC43508A6090226D82F706DD2C68E518E76237B18705E73BBCFF5F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055021Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:12:07.317{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A9D0DB101E0CDBD9137FFDC6DEA240C,SHA256=881FD2DA21196466E464352561B9346E5E70ED423A8706379275FBCB0008A5F9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000283275Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:05.252{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local65108-false10.0.1.12-8000- 23542300x800000000000000055022Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:12:08.411{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BCAA3A1D12C408AAB007B8932176297D,SHA256=4774BA3FFAE233191E28EE87ABFE0E4495C33B3887CD652053D6A77D702F17DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055023Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:12:09.505{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7C3F66B847F0FD4EDD2575C6366F017,SHA256=C5D17EC9923F4B4B5A32213003AD02A2F19B8501F79A93597592767C9588BE16,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000283277Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:09.059{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=821150FF757A368BCC7F76A032E76418,SHA256=086283B8156F49845EE46C63702BB0CFCB4AFBD9D85042D7786C16EF0C7EE17F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055025Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:12:10.599{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94C4470AE2E41D245E3DE9FB6BE1F1DA,SHA256=8D53B900E44A0882FBEF35ABB3645EE445291A2C2D5E1C965DF8ECC16FEB4949,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000283282Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:10.357{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283281Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:10.357{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283280Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:10.342{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283279Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:10.342{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000283278Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:10.106{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E818788EAC7230CE28CA8F1F62A0C5C3,SHA256=96D5B89BBEF66EBD370E114992E233D58041AB78668E41F77C377192B19D3921,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000055024Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:12:09.122{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal51148-false10.0.1.12-8000- 23542300x800000000000000055026Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:12:11.692{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E50CA47E9AEF99C94DD5B3B5DF0D130D,SHA256=DF429F93947AD1025285EE5551EE7CE11F96F882E6BD3CF8F0AEB45891B5A327,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000283283Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:11.141{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E93E9E2B3ADCFF91D99A946D5EE0BDBE,SHA256=0729A5C78D46ED9869FE55278FD84C858E52B79D06FF4AEA5380E6D697E68423,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000055054Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:12:12.739{53069400-F63C-62DF-D403-000000007002}25441208C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000283284Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:12.243{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94E2BDB37599572A741F2FB12C759639,SHA256=F2DBBEF304A9B90399F67B6052CF95FBB892920B5F78F48DC3D060D73EC6DDC4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000055053Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:12:12.567{53069400-D97E-62DF-2900-000000007002}27802800C:\Windows\system32\conhost.exe{53069400-F63C-62DF-D403-000000007002}2544C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055052Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:12:12.567{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055051Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:12:12.567{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055050Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:12:12.567{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055049Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:12:12.567{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055048Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:12:12.567{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055047Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:12:12.567{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055046Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:12:12.567{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055045Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:12:12.567{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055044Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:12:12.567{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055043Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:12:12.567{53069400-D97C-62DF-0500-000000007002}4121248C:\Windows\system32\csrss.exe{53069400-F63C-62DF-D403-000000007002}2544C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000055042Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:12:12.567{53069400-D97D-62DF-1E00-000000007002}19402768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53069400-F63C-62DF-D403-000000007002}2544C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000055041Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:12:12.568{53069400-F63C-62DF-D403-000000007002}2544C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{53069400-D97C-62DF-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000055040Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:12:12.380{53069400-F63C-62DF-D303-000000007002}35404052C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055039Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:12:12.067{53069400-D97E-62DF-2900-000000007002}27802800C:\Windows\system32\conhost.exe{53069400-F63C-62DF-D303-000000007002}3540C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055038Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:12:12.067{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055037Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:12:12.067{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055036Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:12:12.067{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055035Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:12:12.067{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055034Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:12:12.067{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055033Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:12:12.067{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055032Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:12:12.067{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055031Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:12:12.067{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055030Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:12:12.067{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055029Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:12:12.067{53069400-D97C-62DF-0500-000000007002}4121248C:\Windows\system32\csrss.exe{53069400-F63C-62DF-D303-000000007002}3540C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000055028Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:12:12.067{53069400-D97D-62DF-1E00-000000007002}19402768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53069400-F63C-62DF-D303-000000007002}3540C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000055027Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:12:12.068{53069400-F63C-62DF-D303-000000007002}3540C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53069400-D97C-62DF-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000055083Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:12:13.833{53069400-D97E-62DF-2900-000000007002}27802800C:\Windows\system32\conhost.exe{53069400-F63D-62DF-D603-000000007002}372C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055082Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:12:13.833{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055081Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:12:13.833{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055080Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:12:13.833{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055079Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:12:13.833{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055078Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:12:13.833{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055077Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:12:13.833{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055076Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:12:13.833{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055075Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:12:13.833{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055074Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:12:13.833{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055073Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:12:13.833{53069400-D97C-62DF-0500-000000007002}412540C:\Windows\system32\csrss.exe{53069400-F63D-62DF-D603-000000007002}372C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000055072Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:12:13.833{53069400-D97D-62DF-1E00-000000007002}19402768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53069400-F63D-62DF-D603-000000007002}372C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000055071Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:12:13.835{53069400-F63D-62DF-D603-000000007002}372C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53069400-D97C-62DF-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000055070Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:12:13.786{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC21508CA94A543DE218D699E6DE1D1F,SHA256=9B8D06644C763ACB86B84D440F47B367D9DECD595B06B52B57CADCFA6ECB1105,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000283286Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:11.118{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local65109-false10.0.1.12-8000- 23542300x8000000000000000283285Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:13.273{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DFD2E0E8ED1237C7595F066EC9A2B9CE,SHA256=6C086698AD4BB919287482FCE498EDF4A8D123E7E2ABDAC37C015FB8B7EFBDB0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000055069Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:12:13.208{53069400-D97E-62DF-2900-000000007002}27802800C:\Windows\system32\conhost.exe{53069400-F63D-62DF-D503-000000007002}3916C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055068Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:12:13.208{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055067Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:12:13.208{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055066Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:12:13.208{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055065Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:12:13.208{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055064Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:12:13.208{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055063Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:12:13.208{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055062Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:12:13.208{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055061Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:12:13.208{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055060Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:12:13.208{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055059Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:12:13.208{53069400-D97C-62DF-0500-000000007002}412540C:\Windows\system32\csrss.exe{53069400-F63D-62DF-D503-000000007002}3916C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000055058Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:12:13.208{53069400-D97D-62DF-1E00-000000007002}19402768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53069400-F63D-62DF-D503-000000007002}3916C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000055057Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:12:13.210{53069400-F63D-62DF-D503-000000007002}3916C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53069400-D97C-62DF-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000055056Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:12:13.208{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EEF02A61F94AFB608E57C9E9B68C01C5,SHA256=9B603C436C0DBD4A42AAE6CA2C2D85D4899C6BCE2F73372C74BE366A791F32EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055055Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:12:13.208{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=68C41E58C397E1DC6E11ACCE2152144F,SHA256=4FD705CBF67E5BDE57E23690EFC31215AB13BD020899934EF8F376D707E68915,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055099Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:12:14.974{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8AD12CDDFFCA571D250A54F1BBC401CF,SHA256=F18F402E514D911597E56D977D067E268CEE51384B3ABBF1BAD94C00EA15383E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000283287Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:14.325{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E43DD9C669D44232D154E16430FAB34D,SHA256=2B1176224B7A5943E7DDCC533B07F79DC4439202E8D4A6CE3B215396CBBD928C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000055098Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:12:14.646{53069400-F63E-62DF-D703-000000007002}13643348C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055097Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:12:14.505{53069400-D97E-62DF-2900-000000007002}27802800C:\Windows\system32\conhost.exe{53069400-F63E-62DF-D703-000000007002}1364C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055096Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:12:14.505{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055095Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:12:14.505{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055094Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:12:14.505{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055093Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:12:14.505{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055092Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:12:14.505{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055091Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:12:14.505{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055090Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:12:14.505{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055089Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:12:14.505{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055088Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:12:14.505{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055087Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:12:14.505{53069400-D97C-62DF-0500-000000007002}4121248C:\Windows\system32\csrss.exe{53069400-F63E-62DF-D703-000000007002}1364C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000055086Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:12:14.505{53069400-D97D-62DF-1E00-000000007002}19402768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53069400-F63E-62DF-D703-000000007002}1364C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000055085Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:12:14.506{53069400-F63E-62DF-D703-000000007002}1364C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53069400-D97C-62DF-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000055084Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:12:14.005{53069400-F63D-62DF-D603-000000007002}3722144C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000055127Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:12:15.989{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DFCDA7B196C550124827D1D8D62B6DD7,SHA256=0B5BC40535F03CB090F59480A35E5A60758AB3BB299DEB9384BE0FB7E46524F4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000283292Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:15.968{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283291Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:15.967{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000283290Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:15.455{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4024CAA058ABDBC4A941516B40421747,SHA256=15788E1D2513AEA28FA3266C3A55772AB4C37695F8B13102BDF6E4515559368F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000283289Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:15.356{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283288Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:15.356{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000055126Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:12:14.232{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal51149-false10.0.1.12-8000- 10341000x800000000000000055125Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:12:15.849{53069400-D97E-62DF-2900-000000007002}27802800C:\Windows\system32\conhost.exe{53069400-F63F-62DF-D903-000000007002}812C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055124Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:12:15.849{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055123Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:12:15.849{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055122Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:12:15.849{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055121Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:12:15.849{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055120Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:12:15.849{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055119Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:12:15.849{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055118Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:12:15.849{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055117Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:12:15.849{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055116Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:12:15.849{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055115Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:12:15.849{53069400-D97C-62DF-0500-000000007002}412428C:\Windows\system32\csrss.exe{53069400-F63F-62DF-D903-000000007002}812C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000055114Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:12:15.849{53069400-D97D-62DF-1E00-000000007002}19402768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53069400-F63F-62DF-D903-000000007002}812C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000055113Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:12:15.849{53069400-F63F-62DF-D903-000000007002}812C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53069400-D97C-62DF-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000055112Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:12:15.177{53069400-D97E-62DF-2900-000000007002}27802800C:\Windows\system32\conhost.exe{53069400-F63F-62DF-D803-000000007002}2320C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055111Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:12:15.177{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055110Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:12:15.177{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055109Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:12:15.177{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055108Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:12:15.177{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055107Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:12:15.177{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055106Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:12:15.177{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055105Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:12:15.177{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055104Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:12:15.177{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055103Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:12:15.177{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055102Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:12:15.177{53069400-D97C-62DF-0500-000000007002}412428C:\Windows\system32\csrss.exe{53069400-F63F-62DF-D803-000000007002}2320C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000055101Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:12:15.177{53069400-D97D-62DF-1E00-000000007002}19402768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53069400-F63F-62DF-D803-000000007002}2320C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000055100Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:12:15.177{53069400-F63F-62DF-D803-000000007002}2320C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53069400-D97C-62DF-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000283293Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:16.424{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15ED652FFE11496EBD4952226983C1D7,SHA256=06B8FC1B87C6E2F6C1D0A752639650A7A27FCBD9FCBCECE3D479D1B7C38D4C9C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055128Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:12:16.224{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BE2C35723B14FBAAD7AB60BECF6A4A3,SHA256=CDA37602A7D7522BF48BC9F8E8DF5096B6ECBDAE2093FAE1BF6F84E57567DAF0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000283350Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:17.985{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283349Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:17.985{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283348Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:17.985{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000055130Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:12:17.489{53069400-D97D-62DF-1E00-000000007002}1940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=B1F810AC42786DCFE55C3B1455E270B0,SHA256=48C1954EDCD6C081D2BD0D49DCE5FD7814DFA427EADEAA4A87DAC4DE95D4DF28,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055129Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:12:17.099{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8558BBDA0E6F89FED2B8EB8D58ECB300,SHA256=BDEEDD4E960BB158ABFFE24E080D13B98E757DA0B73B23ABB4AAFE97EB73FCB7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000283347Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:17.985{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283346Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:17.969{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283345Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:17.969{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283344Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:17.969{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283343Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:17.969{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283342Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:17.969{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283341Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:17.969{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283340Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:17.969{F81F30E6-D9BA-62DF-8100-000000006F02}38884516C:\Windows\system32\csrss.exe{F81F30E6-F641-62DF-C905-000000006F02}10564C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000283339Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:17.969{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283338Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:17.969{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283337Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:17.969{F81F30E6-F641-62DF-C505-000000006F02}57687968C:\Windows\system32\cmd.exe{F81F30E6-F641-62DF-C905-000000006F02}10564C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8564|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000283336Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:17.977{F81F30E6-F641-62DF-C905-000000006F02}10564C:\Windows\System32\notepad.exe10.0.14393.4169 (rs1_release.210107-1130)NotepadMicrosoft® Windows® Operating SystemMicrosoft CorporationNOTEPAD.EXEnotepad.exe C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=BA78FCF8CA9D806C6C047357E31748DE,SHA256=34A07759492E31AEC2A009505FE8DFB50242375C4308AD4657B2872F4F75A077,IMPHASH=968239BE2020F1C0DAFFDCDBD49E9C82{F81F30E6-F641-62DF-C505-000000006F02}5768C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" " 10341000x8000000000000000283335Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:17.969{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F641-62DF-C905-000000006F02}10564C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283334Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:17.938{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-F641-62DF-C505-000000006F02}5768C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283333Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:17.938{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-F641-62DF-C505-000000006F02}5768C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283332Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:17.938{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-F641-62DF-C505-000000006F02}5768C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283331Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:17.938{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F641-62DF-C605-000000006F02}924C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283330Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:17.922{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F641-62DF-C605-000000006F02}924C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283329Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:17.922{F81F30E6-D97C-62DF-1500-000000006F02}12281712C:\Windows\System32\svchost.exe{F81F30E6-F641-62DF-C805-000000006F02}9516C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283328Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:17.922{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F641-62DF-C805-000000006F02}9516C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283327Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:17.922{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-F641-62DF-C505-000000006F02}5768C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283326Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:17.922{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F641-62DF-C505-000000006F02}5768C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283325Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:17.922{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F641-62DF-C505-000000006F02}5768C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283324Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:17.922{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F641-62DF-C505-000000006F02}5768C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283323Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:17.922{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F641-62DF-C505-000000006F02}5768C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283322Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:17.922{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F641-62DF-C605-000000006F02}924C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283321Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:17.922{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F641-62DF-C605-000000006F02}924C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283320Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:17.922{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F641-62DF-C605-000000006F02}924C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283319Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:17.922{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F641-62DF-C605-000000006F02}924C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283318Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:17.907{F81F30E6-F641-62DF-C805-000000006F02}95164304C:\Windows\system32\conhost.exe{F81F30E6-F641-62DF-C705-000000006F02}9952C:\Windows\System32\shutdown.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283317Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:17.907{F81F30E6-D9BA-62DF-8100-000000006F02}38884056C:\Windows\system32\csrss.exe{F81F30E6-F641-62DF-C805-000000006F02}9516C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000283316Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:17.907{F81F30E6-D97C-62DF-1500-000000006F02}12281712C:\Windows\System32\svchost.exe{F81F30E6-F641-62DF-C605-000000006F02}924C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283315Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:17.907{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F641-62DF-C605-000000006F02}924C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283314Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:17.905{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F641-62DF-C805-000000006F02}9516C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283313Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:17.902{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283312Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:17.902{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283311Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:17.902{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283310Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:17.902{F81F30E6-F641-62DF-C605-000000006F02}9245664C:\Windows\system32\conhost.exe{F81F30E6-F641-62DF-C505-000000006F02}5768C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283309Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:17.902{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283308Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:17.902{F81F30E6-D9BA-62DF-8100-000000006F02}38882172C:\Windows\system32\csrss.exe{F81F30E6-F641-62DF-C705-000000006F02}9952C:\Windows\System32\shutdown.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000283307Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:17.901{F81F30E6-F163-62DF-1F04-000000006F02}22646152C:\Temp\dcrat.exe{F81F30E6-F641-62DF-C705-000000006F02}9952C:\Windows\System32\shutdown.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\System32\windows.storage.dll+16e7eb|C:\Windows\System32\windows.storage.dll+16e501|C:\Windows\System32\windows.storage.dll+16e14e|C:\Windows\System32\windows.storage.dll+16f3f0|C:\Windows\System32\windows.storage.dll+16de9e|C:\Windows\System32\windows.storage.dll+fce6d|C:\Windows\System32\windows.storage.dll+fd5ac|C:\Windows\System32\windows.storage.dll+fc910|C:\Windows\System32\shell32.dll+49cdf|C:\Windows\System32\shell32.dll+49b6c|C:\Windows\System32\shell32.dll+b2e8e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.dll+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000283306Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:17.901{F81F30E6-F641-62DF-C705-000000006F02}9952C:\Windows\System32\shutdown.exe10.0.14393.0 (rs1_release.160715-1616)Windows Shutdown and Annotation ToolMicrosoft® Windows® Operating SystemMicrosoft CorporationSHUTDOWN.EXE"C:\Windows\System32\shutdown.exe" /l /t 0C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=547993395376742A437D3145AF6B0309,SHA256=F96073C3442EA0A99B4945394007602772DB36732D1511DC2068519526678F8A,IMPHASH=609F1D7580ED496A3076AEBA77DAFC7E{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe"C:\Temp\dcrat.exe" 10341000x8000000000000000283305Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:17.901{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F641-62DF-C705-000000006F02}9952C:\Windows\System32\shutdown.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283304Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:17.885{F81F30E6-D9BA-62DF-8100-000000006F02}38884516C:\Windows\system32\csrss.exe{F81F30E6-F641-62DF-C605-000000006F02}924C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000283303Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:17.885{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F641-62DF-C605-000000006F02}924C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283302Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:17.885{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283301Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:17.885{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283300Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:17.885{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283299Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:17.885{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283298Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:17.885{F81F30E6-D9BA-62DF-8100-000000006F02}38882172C:\Windows\system32\csrss.exe{F81F30E6-F641-62DF-C505-000000006F02}5768C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000283297Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:17.885{F81F30E6-F163-62DF-1F04-000000006F02}22648812C:\Temp\dcrat.exe{F81F30E6-F641-62DF-C505-000000006F02}5768C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\System32\windows.storage.dll+16e7eb|C:\Windows\System32\windows.storage.dll+16e501|C:\Windows\System32\windows.storage.dll+16e14e|C:\Windows\System32\windows.storage.dll+16f3f0|C:\Windows\System32\windows.storage.dll+16de9e|C:\Windows\System32\windows.storage.dll+fce6d|C:\Windows\System32\windows.storage.dll+fd5ac|C:\Windows\System32\windows.storage.dll+fc910|C:\Windows\System32\shell32.dll+49cdf|C:\Windows\System32\shell32.dll+49b6c|C:\Windows\System32\shell32.dll+498bc|C:\Windows\System32\shell32.dll+10d2c7|C:\Windows\System32\shell32.dll+10d225|UNKNOWN(00007FF984B29B5F) 154100x8000000000000000283296Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:17.888{F81F30E6-F641-62DF-C505-000000006F02}5768C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" "C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe"C:\Temp\dcrat.exe" 10341000x8000000000000000283295Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:17.885{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F641-62DF-C505-000000006F02}5768C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000283294Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:17.454{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07BC28C145D17C312A787024DD42A818,SHA256=7C7E19C4DCA4D19D732C22EC44FA9C75A52E16AD139A0978F43A33624D6446F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055131Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:12:18.192{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA4D5378195031DBE3995AB8FE7D607A,SHA256=45714E70C8561906A168593EDBEF5D61712D15DAFE0AC909F18CA949780A1CFF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000283370Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:18.937{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AFDF2FCE5D1222BA9D799ED9B13BC14B,SHA256=FC52D1A2A8CFA7E64319CB0526EBCB674B7DE49CB601EF5DB23E019704AB7FBE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000283369Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:18.522{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83B0A200AB38C23E61BECAD5CE21F7CD,SHA256=819D352EADCEB0079EAFB6F6CDC4CB6F05F62B05ABC318AA1FD5674A1AACD68B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000283368Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:18.138{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D6214F8CD407D2F9338684ED6B38A46,SHA256=948E252001F73A731798969BAF8F59D569E6B18366852CE25F7DE73DA5FBC925,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000283367Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:18.069{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-F641-62DF-C905-000000006F02}10564C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283366Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:18.069{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-F641-62DF-C905-000000006F02}10564C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283365Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:18.069{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-F641-62DF-C905-000000006F02}10564C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283364Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:18.053{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F641-62DF-C905-000000006F02}10564C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283363Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:18.053{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F641-62DF-C905-000000006F02}10564C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283362Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:18.038{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-F641-62DF-C905-000000006F02}10564C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283361Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:18.038{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F641-62DF-C905-000000006F02}10564C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283360Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:18.038{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F641-62DF-C905-000000006F02}10564C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283359Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:18.038{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F641-62DF-C905-000000006F02}10564C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283358Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:18.038{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F641-62DF-C905-000000006F02}10564C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283357Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:18.038{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F641-62DF-C905-000000006F02}10564C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283356Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:18.038{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F641-62DF-C905-000000006F02}10564C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283355Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:18.038{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F641-62DF-C905-000000006F02}10564C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283354Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:18.038{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F641-62DF-C905-000000006F02}10564C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283353Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:18.022{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-F641-62DF-C905-000000006F02}10564C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283352Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:18.000{F81F30E6-D97C-62DF-1500-000000006F02}12281712C:\Windows\System32\svchost.exe{F81F30E6-F641-62DF-C905-000000006F02}10564C:\Windows\system32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283351Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:18.000{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F641-62DF-C905-000000006F02}10564C:\Windows\system32\notepad.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000055132Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:12:19.286{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E11C4CB7840EBDA04660039C89E57BB4,SHA256=3D87DFD8DAF074F52B26E213E0EEF2D6DD7B191D17B8B663B4798923D9C4CAB7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000283372Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:17.126{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local65110-false10.0.1.12-8000- 23542300x8000000000000000283371Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:19.552{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17E3EAB040C57125B6CCFE7CA04B49FC,SHA256=854FE94652CA16DF2B7519660DEB77CE478EE1CF4A140E9427324B9D36500A86,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055133Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:12:20.380{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2070B07B0A16FB5A17F8477CEFF5249,SHA256=B6DC4EF00DAB56CCB837FA3CE8122CB12AB4285DF0182A434BBB0A50A2698681,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000283381Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:20.583{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0E471ED6BF95E87881C931624E4E6FB,SHA256=2506AC23D21F5520B9F919AC2BD110417C39933692AC708CD3D3DD250018454A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000283380Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:20.036{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283379Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:20.036{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283378Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:20.036{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283377Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:20.036{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283376Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:20.036{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283375Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:20.036{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283374Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:20.020{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283373Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:20.020{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000055135Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:12:20.154{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal51150-false10.0.1.12-8000- 23542300x800000000000000055134Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:12:21.474{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F326834337C2E43C55BEF28F9C4B4B06,SHA256=989DBEF0DFC91634DD393CFC1E2B10B22917FACC88117715930DB8FAE45A1AF3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000283440Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:21.936{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE4077887B7BA8E805B0E000A9D61752,SHA256=7C93CF27A2EE0F36435DAD4C8C613A700CA8B6073582417173F3289BF3707505,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000283439Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:21.820{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283438Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:21.820{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283437Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:21.820{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283436Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:21.820{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283435Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:21.804{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F645-62DF-CC05-000000006F02}5628C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283434Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:21.804{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F645-62DF-CC05-000000006F02}5628C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283433Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:21.800{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283432Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:21.800{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283431Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:21.800{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283430Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:21.800{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283429Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:21.783{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F645-62DF-CC05-000000006F02}5628C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283428Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:21.783{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-F645-62DF-CC05-000000006F02}5628C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283427Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:21.783{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F645-62DF-CC05-000000006F02}5628C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283426Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:21.783{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F645-62DF-CC05-000000006F02}5628C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283425Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:21.783{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F645-62DF-CC05-000000006F02}5628C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283424Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:21.783{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F645-62DF-CC05-000000006F02}5628C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283423Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:21.783{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F645-62DF-CC05-000000006F02}5628C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283422Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:21.783{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F645-62DF-CC05-000000006F02}5628C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283421Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:21.783{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F645-62DF-CC05-000000006F02}5628C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283420Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:21.767{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-F645-62DF-CC05-000000006F02}5628C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283419Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:21.736{F81F30E6-D97C-62DF-1500-000000006F02}12281712C:\Windows\System32\svchost.exe{F81F30E6-F645-62DF-CC05-000000006F02}5628C:\Windows\system32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283418Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:21.736{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F645-62DF-CC05-000000006F02}5628C:\Windows\system32\notepad.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283417Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:21.704{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283416Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:21.704{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283415Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:21.704{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283414Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:21.704{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283413Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:21.704{F81F30E6-D9BA-62DF-8100-000000006F02}38882172C:\Windows\system32\csrss.exe{F81F30E6-F645-62DF-CC05-000000006F02}5628C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000283412Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:21.704{F81F30E6-F645-62DF-CA05-000000006F02}1026810272C:\Windows\system32\cmd.exe{F81F30E6-F645-62DF-CC05-000000006F02}5628C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8564|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000283411Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:21.714{F81F30E6-F645-62DF-CC05-000000006F02}5628C:\Windows\System32\notepad.exe10.0.14393.4169 (rs1_release.210107-1130)NotepadMicrosoft® Windows® Operating SystemMicrosoft CorporationNOTEPAD.EXEnotepad.exe C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=BA78FCF8CA9D806C6C047357E31748DE,SHA256=34A07759492E31AEC2A009505FE8DFB50242375C4308AD4657B2872F4F75A077,IMPHASH=968239BE2020F1C0DAFFDCDBD49E9C82{F81F30E6-F645-62DF-CA05-000000006F02}10268C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" " 10341000x8000000000000000283410Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:21.704{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F645-62DF-CC05-000000006F02}5628C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000283409Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:21.700{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66DFE43C7A6E641C5C23D0B3313A248B,SHA256=1A744A629A265E3A7615EAEBC665CB80663A59404569234FC26B60BAFBE56B05,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000283408Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:21.683{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-F645-62DF-CA05-000000006F02}10268C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283407Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:21.683{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-F645-62DF-CA05-000000006F02}10268C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283406Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:21.683{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-F645-62DF-CA05-000000006F02}10268C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283405Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:21.683{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F645-62DF-CB05-000000006F02}10888C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283404Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:21.683{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F645-62DF-CB05-000000006F02}10888C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283403Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:21.667{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-F645-62DF-CA05-000000006F02}10268C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283402Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:21.667{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F645-62DF-CA05-000000006F02}10268C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283401Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:21.667{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F645-62DF-CA05-000000006F02}10268C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283400Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:21.667{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F645-62DF-CA05-000000006F02}10268C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283399Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:21.667{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F645-62DF-CA05-000000006F02}10268C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283398Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:21.667{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F645-62DF-CB05-000000006F02}10888C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283397Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:21.667{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F645-62DF-CB05-000000006F02}10888C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283396Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:21.667{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F645-62DF-CB05-000000006F02}10888C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283395Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:21.667{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F645-62DF-CB05-000000006F02}10888C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283394Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:21.651{F81F30E6-D97C-62DF-1500-000000006F02}12281712C:\Windows\System32\svchost.exe{F81F30E6-F645-62DF-CB05-000000006F02}10888C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283393Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:21.651{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F645-62DF-CB05-000000006F02}10888C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283392Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:21.636{F81F30E6-F645-62DF-CB05-000000006F02}108887776C:\Windows\system32\conhost.exe{F81F30E6-F645-62DF-CA05-000000006F02}10268C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283391Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:21.636{F81F30E6-D9BA-62DF-8100-000000006F02}38884516C:\Windows\system32\csrss.exe{F81F30E6-F645-62DF-CB05-000000006F02}10888C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000283390Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:21.636{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F645-62DF-CB05-000000006F02}10888C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283389Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:21.636{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283388Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:21.636{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283387Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:21.636{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283386Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:21.636{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283385Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:21.636{F81F30E6-D9BA-62DF-8100-000000006F02}38882172C:\Windows\system32\csrss.exe{F81F30E6-F645-62DF-CA05-000000006F02}10268C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000283384Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:21.636{F81F30E6-F163-62DF-1F04-000000006F02}226410168C:\Temp\dcrat.exe{F81F30E6-F645-62DF-CA05-000000006F02}10268C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\System32\windows.storage.dll+16e7eb|C:\Windows\System32\windows.storage.dll+16e501|C:\Windows\System32\windows.storage.dll+16e14e|C:\Windows\System32\windows.storage.dll+16f3f0|C:\Windows\System32\windows.storage.dll+16de9e|C:\Windows\System32\windows.storage.dll+fce6d|C:\Windows\System32\windows.storage.dll+fd5ac|C:\Windows\System32\windows.storage.dll+fc910|C:\Windows\System32\shell32.dll+49cdf|C:\Windows\System32\shell32.dll+49b6c|C:\Windows\System32\shell32.dll+498bc|C:\Windows\System32\shell32.dll+10d2c7|C:\Windows\System32\shell32.dll+10d225|UNKNOWN(00007FF984B29B5F) 154100x8000000000000000283383Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:21.636{F81F30E6-F645-62DF-CA05-000000006F02}10268C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" "C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe"C:\Temp\dcrat.exe" 10341000x8000000000000000283382Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:21.620{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F645-62DF-CA05-000000006F02}10268C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283443Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:22.919{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283442Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:22.919{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000283441Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:22.701{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7AB6F643001FBCB912FEB698B498BDC,SHA256=9545151E8F4EECCEA4F0DBE833FFD8DCB8C44DABC3FD25624B3FBE212D6E796D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055136Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:12:22.567{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90C48887472A95AA617100B677DD21D9,SHA256=363446E7B9B411CC982B29401F6BDB094CC048617BF4E8B4017A78CEBE57B749,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055137Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:12:23.661{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E81FEFBEF03A291D006F0E5EDCE14C5,SHA256=8E36B4342CAFA931729FC5C5AA291D6050DBA4F5B8F0DE29ECFD84DD8FB652B8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000283643Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:23.998{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F647-62DF-D905-000000006F02}10412C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283642Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:23.998{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F647-62DF-D905-000000006F02}10412C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283641Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:23.998{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F647-62DF-D905-000000006F02}10412C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283640Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:23.997{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F647-62DF-D905-000000006F02}10412C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283639Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:23.981{F81F30E6-F647-62DF-DE05-000000006F02}934010616C:\Windows\system32\conhost.exe{F81F30E6-F647-62DF-DD05-000000006F02}7376C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283638Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:23.981{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F647-62DF-D305-000000006F02}10492C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283637Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:23.981{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F647-62DF-D305-000000006F02}10492C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283636Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:23.981{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F647-62DF-D305-000000006F02}10492C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283635Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:23.981{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F647-62DF-D305-000000006F02}10492C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283634Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:23.965{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283633Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:23.965{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283632Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:23.965{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283631Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:23.965{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283630Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:23.965{F81F30E6-D9BA-62DF-8100-000000006F02}38884056C:\Windows\system32\csrss.exe{F81F30E6-F647-62DF-DF05-000000006F02}2548C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000283629Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:23.965{F81F30E6-F647-62DF-D105-000000006F02}94449228C:\Windows\system32\cmd.exe{F81F30E6-F647-62DF-DF05-000000006F02}2548C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8564|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000283628Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:23.976{F81F30E6-F647-62DF-DF05-000000006F02}2548C:\Windows\System32\notepad.exe10.0.14393.4169 (rs1_release.210107-1130)NotepadMicrosoft® Windows® Operating SystemMicrosoft CorporationNOTEPAD.EXEnotepad.exe C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=BA78FCF8CA9D806C6C047357E31748DE,SHA256=34A07759492E31AEC2A009505FE8DFB50242375C4308AD4657B2872F4F75A077,IMPHASH=968239BE2020F1C0DAFFDCDBD49E9C82{F81F30E6-F647-62DF-D105-000000006F02}9444C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" " 10341000x8000000000000000283627Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:23.965{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F647-62DF-DF05-000000006F02}2548C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283626Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:23.965{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F647-62DF-D705-000000006F02}8296C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283625Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:23.965{F81F30E6-D9BA-62DF-8100-000000006F02}38884056C:\Windows\system32\csrss.exe{F81F30E6-F647-62DF-DE05-000000006F02}9340C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000283624Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:23.950{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F647-62DF-DE05-000000006F02}9340C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283623Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:23.950{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283622Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:23.950{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283621Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:23.950{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283620Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:23.950{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283619Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:23.950{F81F30E6-D9BA-62DF-8100-000000006F02}38882172C:\Windows\system32\csrss.exe{F81F30E6-F647-62DF-DD05-000000006F02}7376C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000283618Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:23.950{F81F30E6-F163-62DF-1F04-000000006F02}22649888C:\Temp\dcrat.exe{F81F30E6-F647-62DF-DD05-000000006F02}7376C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\System32\windows.storage.dll+16e7eb|C:\Windows\System32\windows.storage.dll+16e501|C:\Windows\System32\windows.storage.dll+16e14e|C:\Windows\System32\windows.storage.dll+16f3f0|C:\Windows\System32\windows.storage.dll+16de9e|C:\Windows\System32\windows.storage.dll+fce6d|C:\Windows\System32\windows.storage.dll+fd5ac|C:\Windows\System32\windows.storage.dll+fc910|C:\Windows\System32\shell32.dll+49cdf|C:\Windows\System32\shell32.dll+49b6c|C:\Windows\System32\shell32.dll+498bc|C:\Windows\System32\shell32.dll+10d2c7|C:\Windows\System32\shell32.dll+10d225|UNKNOWN(00007FF984B29B5F) 154100x8000000000000000283617Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:23.961{F81F30E6-F647-62DF-DD05-000000006F02}7376C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" "C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe"C:\Temp\dcrat.exe" 10341000x8000000000000000283616Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:23.950{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F647-62DF-DD05-000000006F02}7376C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283615Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:23.950{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-F647-62DF-D605-000000006F02}6684C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283614Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:23.934{F81F30E6-D97C-62DF-1500-000000006F02}12281712C:\Windows\System32\svchost.exe{F81F30E6-F647-62DF-DC05-000000006F02}11220C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283613Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:23.934{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F647-62DF-DC05-000000006F02}11220C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283612Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:23.934{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F647-62DF-D605-000000006F02}6684C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283611Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:23.934{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F647-62DF-D605-000000006F02}6684C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283610Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:23.934{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F647-62DF-D605-000000006F02}6684C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283609Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:23.934{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F647-62DF-D605-000000006F02}6684C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283608Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:23.934{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F647-62DF-D705-000000006F02}8296C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283607Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:23.934{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F647-62DF-D705-000000006F02}8296C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283606Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:23.934{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F647-62DF-D705-000000006F02}8296C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283605Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:23.934{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F647-62DF-D705-000000006F02}8296C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283604Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:23.934{F81F30E6-F647-62DF-DC05-000000006F02}112209620C:\Windows\system32\conhost.exe{F81F30E6-F647-62DF-DB05-000000006F02}10400C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283603Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:23.919{F81F30E6-D97C-62DF-1500-000000006F02}12281712C:\Windows\System32\svchost.exe{F81F30E6-F647-62DF-DA05-000000006F02}9144C:\Windows\system32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283602Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:23.919{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F647-62DF-DA05-000000006F02}9144C:\Windows\system32\notepad.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283601Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:23.919{F81F30E6-D9BA-62DF-8100-000000006F02}38884516C:\Windows\system32\csrss.exe{F81F30E6-F647-62DF-DC05-000000006F02}11220C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000283600Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:23.919{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F647-62DF-DC05-000000006F02}11220C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283599Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:23.919{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F647-62DF-D505-000000006F02}10668C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283598Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:23.919{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283597Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:23.919{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283596Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:23.919{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283595Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:23.903{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283594Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:23.903{F81F30E6-D9BA-62DF-8100-000000006F02}38884056C:\Windows\system32\csrss.exe{F81F30E6-F647-62DF-DB05-000000006F02}10400C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000283593Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:23.903{F81F30E6-F163-62DF-1F04-000000006F02}22649456C:\Temp\dcrat.exe{F81F30E6-F647-62DF-DB05-000000006F02}10400C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\System32\windows.storage.dll+16e7eb|C:\Windows\System32\windows.storage.dll+16e501|C:\Windows\System32\windows.storage.dll+16e14e|C:\Windows\System32\windows.storage.dll+16f3f0|C:\Windows\System32\windows.storage.dll+16de9e|C:\Windows\System32\windows.storage.dll+fce6d|C:\Windows\System32\windows.storage.dll+fd5ac|C:\Windows\System32\windows.storage.dll+fc910|C:\Windows\System32\shell32.dll+49cdf|C:\Windows\System32\shell32.dll+49b6c|C:\Windows\System32\shell32.dll+498bc|C:\Windows\System32\shell32.dll+10d2c7|C:\Windows\System32\shell32.dll+10d225|UNKNOWN(00007FF984B29B5F) 154100x8000000000000000283592Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:23.917{F81F30E6-F647-62DF-DB05-000000006F02}10400C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" "C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe"C:\Temp\dcrat.exe" 10341000x8000000000000000283591Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:23.903{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F647-62DF-DB05-000000006F02}10400C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283590Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:23.903{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F647-62DF-D505-000000006F02}10668C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283589Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:23.903{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-F647-62DF-D405-000000006F02}6352C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283588Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:23.903{F81F30E6-D97C-62DF-1500-000000006F02}12281712C:\Windows\System32\svchost.exe{F81F30E6-F647-62DF-D905-000000006F02}10412C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283587Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:23.903{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F647-62DF-D905-000000006F02}10412C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283586Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:23.898{F81F30E6-F647-62DF-D905-000000006F02}1041211236C:\Windows\system32\conhost.exe{F81F30E6-F647-62DF-D805-000000006F02}9804C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283585Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:23.898{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F647-62DF-D205-000000006F02}7340C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283584Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:23.897{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283583Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:23.897{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283582Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:23.897{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283581Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:23.897{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283580Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:23.897{F81F30E6-D9BA-62DF-8100-000000006F02}38882172C:\Windows\system32\csrss.exe{F81F30E6-F647-62DF-DA05-000000006F02}9144C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000283579Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:23.881{F81F30E6-F647-62DF-CF05-000000006F02}102088072C:\Windows\system32\cmd.exe{F81F30E6-F647-62DF-DA05-000000006F02}9144C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8564|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000283578Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:23.896{F81F30E6-F647-62DF-DA05-000000006F02}9144C:\Windows\System32\notepad.exe10.0.14393.4169 (rs1_release.210107-1130)NotepadMicrosoft® Windows® Operating SystemMicrosoft CorporationNOTEPAD.EXEnotepad.exe C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=BA78FCF8CA9D806C6C047357E31748DE,SHA256=34A07759492E31AEC2A009505FE8DFB50242375C4308AD4657B2872F4F75A077,IMPHASH=968239BE2020F1C0DAFFDCDBD49E9C82{F81F30E6-F647-62DF-CF05-000000006F02}10208C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" " 10341000x8000000000000000283577Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:23.881{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F647-62DF-DA05-000000006F02}9144C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283576Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:23.881{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F647-62DF-D405-000000006F02}6352C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283575Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:23.881{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F647-62DF-D405-000000006F02}6352C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283574Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:23.881{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F647-62DF-D405-000000006F02}6352C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283573Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:23.881{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F647-62DF-D405-000000006F02}6352C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283572Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:23.881{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F647-62DF-D205-000000006F02}7340C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283571Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:23.881{F81F30E6-D9BA-62DF-8100-000000006F02}38882172C:\Windows\system32\csrss.exe{F81F30E6-F647-62DF-D905-000000006F02}10412C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000283570Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:23.881{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F647-62DF-D905-000000006F02}10412C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283569Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:23.866{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F647-62DF-D505-000000006F02}10668C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283568Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:23.866{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F647-62DF-D505-000000006F02}10668C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283567Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:23.866{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F647-62DF-D505-000000006F02}10668C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283566Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:23.866{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F647-62DF-D505-000000006F02}10668C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283565Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:23.866{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283564Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:23.866{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283563Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:23.866{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283562Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:23.866{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283561Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:23.866{F81F30E6-D9BA-62DF-8100-000000006F02}38884516C:\Windows\system32\csrss.exe{F81F30E6-F647-62DF-D805-000000006F02}9804C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000283560Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:23.866{F81F30E6-F163-62DF-1F04-000000006F02}22649472C:\Temp\dcrat.exe{F81F30E6-F647-62DF-D805-000000006F02}9804C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\System32\windows.storage.dll+16e7eb|C:\Windows\System32\windows.storage.dll+16e501|C:\Windows\System32\windows.storage.dll+16e14e|C:\Windows\System32\windows.storage.dll+16f3f0|C:\Windows\System32\windows.storage.dll+16de9e|C:\Windows\System32\windows.storage.dll+fce6d|C:\Windows\System32\windows.storage.dll+fd5ac|C:\Windows\System32\windows.storage.dll+fc910|C:\Windows\System32\shell32.dll+49cdf|C:\Windows\System32\shell32.dll+49b6c|C:\Windows\System32\shell32.dll+498bc|C:\Windows\System32\shell32.dll+10d2c7|C:\Windows\System32\shell32.dll+10d225|UNKNOWN(00007FF984B29B5F) 154100x8000000000000000283559Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:23.875{F81F30E6-F647-62DF-D805-000000006F02}9804C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" "C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe"C:\Temp\dcrat.exe" 10341000x8000000000000000283558Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:23.866{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F647-62DF-D805-000000006F02}9804C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283557Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:23.866{F81F30E6-D97C-62DF-1500-000000006F02}12281712C:\Windows\System32\svchost.exe{F81F30E6-F647-62DF-D705-000000006F02}8296C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283556Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:23.866{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F647-62DF-D705-000000006F02}8296C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283555Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:23.850{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F647-62DF-D105-000000006F02}9444C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283554Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:23.850{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F647-62DF-D105-000000006F02}9444C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283553Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:23.850{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F647-62DF-D105-000000006F02}9444C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283552Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:23.850{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-F647-62DF-D105-000000006F02}9444C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283551Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:23.850{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F647-62DF-D105-000000006F02}9444C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283550Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:23.850{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-F647-62DF-D305-000000006F02}10492C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283549Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:23.850{F81F30E6-F647-62DF-D705-000000006F02}829610532C:\Windows\system32\conhost.exe{F81F30E6-F647-62DF-D605-000000006F02}6684C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283548Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:23.850{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F647-62DF-D205-000000006F02}7340C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283547Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:23.850{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F647-62DF-D205-000000006F02}7340C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283546Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:23.850{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F647-62DF-D205-000000006F02}7340C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283545Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:23.850{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F647-62DF-D205-000000006F02}7340C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283544Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:23.834{F81F30E6-D9BA-62DF-8100-000000006F02}38884516C:\Windows\system32\csrss.exe{F81F30E6-F647-62DF-D705-000000006F02}8296C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000283543Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:23.834{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-F647-62DF-CF05-000000006F02}10208C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283542Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:23.834{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-F647-62DF-CF05-000000006F02}10208C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283541Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:23.834{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-F647-62DF-CF05-000000006F02}10208C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283540Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:23.834{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F647-62DF-D705-000000006F02}8296C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283539Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:23.834{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283538Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:23.834{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283537Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:23.834{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283536Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:23.834{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283535Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:23.834{F81F30E6-D9BA-62DF-8100-000000006F02}38882172C:\Windows\system32\csrss.exe{F81F30E6-F647-62DF-D605-000000006F02}6684C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000283534Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:23.834{F81F30E6-F163-62DF-1F04-000000006F02}226411048C:\Temp\dcrat.exe{F81F30E6-F647-62DF-D605-000000006F02}6684C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\System32\windows.storage.dll+16e7eb|C:\Windows\System32\windows.storage.dll+16e501|C:\Windows\System32\windows.storage.dll+16e14e|C:\Windows\System32\windows.storage.dll+16f3f0|C:\Windows\System32\windows.storage.dll+16de9e|C:\Windows\System32\windows.storage.dll+fce6d|C:\Windows\System32\windows.storage.dll+fd5ac|C:\Windows\System32\windows.storage.dll+fc910|C:\Windows\System32\shell32.dll+49cdf|C:\Windows\System32\shell32.dll+49b6c|C:\Windows\System32\shell32.dll+498bc|C:\Windows\System32\shell32.dll+10d2c7|C:\Windows\System32\shell32.dll+10d225|UNKNOWN(00007FF984B29B5F) 154100x8000000000000000283533Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:23.835{F81F30E6-F647-62DF-D605-000000006F02}6684C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" "C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe"C:\Temp\dcrat.exe" 10341000x8000000000000000283532Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:23.834{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F647-62DF-D605-000000006F02}6684C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283531Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:23.819{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F647-62DF-D005-000000006F02}10080C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283530Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:23.819{F81F30E6-D97C-62DF-1500-000000006F02}12281712C:\Windows\System32\svchost.exe{F81F30E6-F647-62DF-D505-000000006F02}10668C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283529Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:23.819{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F647-62DF-D505-000000006F02}10668C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283528Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:23.803{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F647-62DF-D005-000000006F02}10080C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283527Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:23.803{F81F30E6-F647-62DF-D505-000000006F02}106684436C:\Windows\system32\conhost.exe{F81F30E6-F647-62DF-D405-000000006F02}6352C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283526Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:23.801{F81F30E6-D9BA-62DF-8100-000000006F02}38882172C:\Windows\system32\csrss.exe{F81F30E6-F647-62DF-D505-000000006F02}10668C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000283525Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:23.799{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F647-62DF-D505-000000006F02}10668C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283524Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:23.797{F81F30E6-D97C-62DF-1500-000000006F02}12281712C:\Windows\System32\svchost.exe{F81F30E6-F647-62DF-D205-000000006F02}7340C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283523Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:23.797{F81F30E6-D97C-62DF-1500-000000006F02}12281712C:\Windows\System32\svchost.exe{F81F30E6-F647-62DF-D305-000000006F02}10492C:\Windows\system32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283522Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:23.797{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F647-62DF-D205-000000006F02}7340C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283521Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:23.781{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F647-62DF-D305-000000006F02}10492C:\Windows\system32\notepad.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283520Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:23.781{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-F647-62DF-CF05-000000006F02}10208C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283519Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:23.781{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283518Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:23.781{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283517Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:23.781{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283516Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:23.781{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283515Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:23.781{F81F30E6-D9BA-62DF-8100-000000006F02}38882172C:\Windows\system32\csrss.exe{F81F30E6-F647-62DF-D405-000000006F02}6352C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000283514Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:23.781{F81F30E6-F163-62DF-1F04-000000006F02}22643288C:\Temp\dcrat.exe{F81F30E6-F647-62DF-D405-000000006F02}6352C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\System32\windows.storage.dll+16e7eb|C:\Windows\System32\windows.storage.dll+16e501|C:\Windows\System32\windows.storage.dll+16e14e|C:\Windows\System32\windows.storage.dll+16f3f0|C:\Windows\System32\windows.storage.dll+16de9e|C:\Windows\System32\windows.storage.dll+fce6d|C:\Windows\System32\windows.storage.dll+fd5ac|C:\Windows\System32\windows.storage.dll+fc910|C:\Windows\System32\shell32.dll+49cdf|C:\Windows\System32\shell32.dll+49b6c|C:\Windows\System32\shell32.dll+498bc|C:\Windows\System32\shell32.dll+10d2c7|C:\Windows\System32\shell32.dll+10d225|UNKNOWN(00007FF984B29B5F) 154100x8000000000000000283513Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:23.793{F81F30E6-F647-62DF-D405-000000006F02}6352C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" "C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe"C:\Temp\dcrat.exe" 10341000x8000000000000000283512Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:23.781{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F647-62DF-D405-000000006F02}6352C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283511Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:23.781{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F647-62DF-CF05-000000006F02}10208C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283510Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:23.781{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F647-62DF-CF05-000000006F02}10208C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283509Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:23.781{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F647-62DF-CF05-000000006F02}10208C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283508Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:23.781{F81F30E6-F647-62DF-D205-000000006F02}73406736C:\Windows\system32\conhost.exe{F81F30E6-F647-62DF-D105-000000006F02}9444C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283507Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:23.781{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F647-62DF-CF05-000000006F02}10208C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283506Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:23.766{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F647-62DF-D005-000000006F02}10080C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283505Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:23.766{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F647-62DF-D005-000000006F02}10080C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283504Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:23.766{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F647-62DF-D005-000000006F02}10080C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283503Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:23.766{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F647-62DF-D005-000000006F02}10080C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283502Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:23.766{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283501Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:23.766{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283500Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:23.766{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283499Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:23.766{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283498Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:23.766{F81F30E6-D9BA-62DF-8100-000000006F02}38884516C:\Windows\system32\csrss.exe{F81F30E6-F647-62DF-D305-000000006F02}10492C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000283497Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:23.766{F81F30E6-F647-62DF-CD05-000000006F02}172410192C:\Windows\system32\cmd.exe{F81F30E6-F647-62DF-D305-000000006F02}10492C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8564|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000283496Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:23.768{F81F30E6-F647-62DF-D305-000000006F02}10492C:\Windows\System32\notepad.exe10.0.14393.4169 (rs1_release.210107-1130)NotepadMicrosoft® Windows® Operating SystemMicrosoft CorporationNOTEPAD.EXEnotepad.exe C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=BA78FCF8CA9D806C6C047357E31748DE,SHA256=34A07759492E31AEC2A009505FE8DFB50242375C4308AD4657B2872F4F75A077,IMPHASH=968239BE2020F1C0DAFFDCDBD49E9C82{F81F30E6-F647-62DF-CD05-000000006F02}1724C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" " 10341000x8000000000000000283495Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:23.766{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F647-62DF-D305-000000006F02}10492C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283494Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:23.750{F81F30E6-D9BA-62DF-8100-000000006F02}38884516C:\Windows\system32\csrss.exe{F81F30E6-F647-62DF-D205-000000006F02}7340C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000283493Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:23.750{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F647-62DF-D205-000000006F02}7340C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283492Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:23.750{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283491Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:23.750{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283490Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:23.750{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283489Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:23.750{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283488Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:23.750{F81F30E6-D9BA-62DF-8100-000000006F02}38884056C:\Windows\system32\csrss.exe{F81F30E6-F647-62DF-D105-000000006F02}9444C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000283487Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:23.750{F81F30E6-F163-62DF-1F04-000000006F02}22649384C:\Temp\dcrat.exe{F81F30E6-F647-62DF-D105-000000006F02}9444C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\System32\windows.storage.dll+16e7eb|C:\Windows\System32\windows.storage.dll+16e501|C:\Windows\System32\windows.storage.dll+16e14e|C:\Windows\System32\windows.storage.dll+16f3f0|C:\Windows\System32\windows.storage.dll+16de9e|C:\Windows\System32\windows.storage.dll+fce6d|C:\Windows\System32\windows.storage.dll+fd5ac|C:\Windows\System32\windows.storage.dll+fc910|C:\Windows\System32\shell32.dll+49cdf|C:\Windows\System32\shell32.dll+49b6c|C:\Windows\System32\shell32.dll+498bc|C:\Windows\System32\shell32.dll+10d2c7|C:\Windows\System32\shell32.dll+10d225|UNKNOWN(00007FF984B29B5F) 154100x8000000000000000283486Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:23.751{F81F30E6-F647-62DF-D105-000000006F02}9444C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" "C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe"C:\Temp\dcrat.exe" 10341000x8000000000000000283485Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:23.750{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F647-62DF-D105-000000006F02}9444C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283484Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:23.734{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-F647-62DF-CD05-000000006F02}1724C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283483Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:23.734{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-F647-62DF-CD05-000000006F02}1724C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283482Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:23.734{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-F647-62DF-CD05-000000006F02}1724C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000283481Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:23.734{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E48FDE95EE186F5A9FEBC7EA3D77C6B,SHA256=782692477FD70E6071F01E96B8EED08167EE51ECBE1248C2D0C19502C436DFCE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000283480Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:23.734{F81F30E6-D97C-62DF-1500-000000006F02}12281712C:\Windows\System32\svchost.exe{F81F30E6-F647-62DF-D005-000000006F02}10080C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283479Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:23.734{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F647-62DF-D005-000000006F02}10080C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283478Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:23.734{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F647-62DF-CE05-000000006F02}5432C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283477Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:23.734{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F647-62DF-CE05-000000006F02}5432C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283476Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:23.734{F81F30E6-F647-62DF-D005-000000006F02}1008011100C:\Windows\system32\conhost.exe{F81F30E6-F647-62DF-CF05-000000006F02}10208C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283475Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:23.719{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F647-62DF-CD05-000000006F02}1724C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283474Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:23.719{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F647-62DF-CD05-000000006F02}1724C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283473Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:23.719{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-F647-62DF-CD05-000000006F02}1724C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283472Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:23.719{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F647-62DF-CD05-000000006F02}1724C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283471Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:23.719{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F647-62DF-CD05-000000006F02}1724C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283470Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:23.719{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F647-62DF-CE05-000000006F02}5432C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283469Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:23.719{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F647-62DF-CE05-000000006F02}5432C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283468Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:23.719{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F647-62DF-CE05-000000006F02}5432C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283467Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:23.719{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F647-62DF-CE05-000000006F02}5432C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283466Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:23.719{F81F30E6-D9BA-62DF-8100-000000006F02}38884056C:\Windows\system32\csrss.exe{F81F30E6-F647-62DF-D005-000000006F02}10080C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000283465Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:23.719{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F647-62DF-D005-000000006F02}10080C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283464Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:23.719{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283463Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:23.719{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283462Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:23.719{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283461Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:23.719{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283460Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:23.703{F81F30E6-D9BA-62DF-8100-000000006F02}38884056C:\Windows\system32\csrss.exe{F81F30E6-F647-62DF-CF05-000000006F02}10208C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000283459Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:23.703{F81F30E6-F163-62DF-1F04-000000006F02}22646756C:\Temp\dcrat.exe{F81F30E6-F647-62DF-CF05-000000006F02}10208C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\System32\windows.storage.dll+16e7eb|C:\Windows\System32\windows.storage.dll+16e501|C:\Windows\System32\windows.storage.dll+16e14e|C:\Windows\System32\windows.storage.dll+16f3f0|C:\Windows\System32\windows.storage.dll+16de9e|C:\Windows\System32\windows.storage.dll+fce6d|C:\Windows\System32\windows.storage.dll+fd5ac|C:\Windows\System32\windows.storage.dll+fc910|C:\Windows\System32\shell32.dll+49cdf|C:\Windows\System32\shell32.dll+49b6c|C:\Windows\System32\shell32.dll+498bc|C:\Windows\System32\shell32.dll+10d2c7|C:\Windows\System32\shell32.dll+10d225|UNKNOWN(00007FF984B29B5F) 154100x8000000000000000283458Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:23.718{F81F30E6-F647-62DF-CF05-000000006F02}10208C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" "C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe"C:\Temp\dcrat.exe" 10341000x8000000000000000283457Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:23.703{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F647-62DF-CF05-000000006F02}10208C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283456Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:23.703{F81F30E6-D97C-62DF-1500-000000006F02}12281712C:\Windows\System32\svchost.exe{F81F30E6-F647-62DF-CE05-000000006F02}5432C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283455Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:23.703{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F647-62DF-CE05-000000006F02}5432C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283454Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:23.703{F81F30E6-F647-62DF-CE05-000000006F02}543210304C:\Windows\system32\conhost.exe{F81F30E6-F647-62DF-CD05-000000006F02}1724C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283453Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:23.703{F81F30E6-D9BA-62DF-8100-000000006F02}38882172C:\Windows\system32\csrss.exe{F81F30E6-F647-62DF-CE05-000000006F02}5432C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000283452Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:23.701{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F647-62DF-CE05-000000006F02}5432C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283451Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:23.699{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283450Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:23.699{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283449Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:23.699{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283448Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:23.699{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283447Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:23.698{F81F30E6-D9BA-62DF-8100-000000006F02}38882172C:\Windows\system32\csrss.exe{F81F30E6-F647-62DF-CD05-000000006F02}1724C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000283446Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:23.698{F81F30E6-F163-62DF-1F04-000000006F02}22645364C:\Temp\dcrat.exe{F81F30E6-F647-62DF-CD05-000000006F02}1724C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\System32\windows.storage.dll+16e7eb|C:\Windows\System32\windows.storage.dll+16e501|C:\Windows\System32\windows.storage.dll+16e14e|C:\Windows\System32\windows.storage.dll+16f3f0|C:\Windows\System32\windows.storage.dll+16de9e|C:\Windows\System32\windows.storage.dll+fce6d|C:\Windows\System32\windows.storage.dll+fd5ac|C:\Windows\System32\windows.storage.dll+fc910|C:\Windows\System32\shell32.dll+49cdf|C:\Windows\System32\shell32.dll+49b6c|C:\Windows\System32\shell32.dll+498bc|C:\Windows\System32\shell32.dll+10d2c7|C:\Windows\System32\shell32.dll+10d225|UNKNOWN(00007FF984B29B5F) 154100x8000000000000000283445Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:23.698{F81F30E6-F647-62DF-CD05-000000006F02}1724C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" "C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe"C:\Temp\dcrat.exe" 10341000x8000000000000000283444Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:23.698{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F647-62DF-CD05-000000006F02}1724C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284109Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.983{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F648-62DF-F005-000000006F02}11344C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284108Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.983{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F648-62DF-FA05-000000006F02}11600C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284107Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.983{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F648-62DF-F205-000000006F02}11368C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284106Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.983{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F648-62DF-F205-000000006F02}11368C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284105Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.983{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F648-62DF-F205-000000006F02}11368C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284104Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.983{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F648-62DF-F205-000000006F02}11368C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284103Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.983{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F648-62DF-EA05-000000006F02}11032C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284102Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.968{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284101Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.968{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284100Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.968{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284099Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.968{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284098Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.968{F81F30E6-D9BA-62DF-8100-000000006F02}38882172C:\Windows\system32\csrss.exe{F81F30E6-F648-62DF-0106-000000006F02}11876C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000284097Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.968{F81F30E6-F648-62DF-F005-000000006F02}1134411348C:\Windows\system32\cmd.exe{F81F30E6-F648-62DF-0106-000000006F02}11876C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8564|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000284096Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.975{F81F30E6-F648-62DF-0106-000000006F02}11876C:\Windows\System32\notepad.exe10.0.14393.4169 (rs1_release.210107-1130)NotepadMicrosoft® Windows® Operating SystemMicrosoft CorporationNOTEPAD.EXEnotepad.exe C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=BA78FCF8CA9D806C6C047357E31748DE,SHA256=34A07759492E31AEC2A009505FE8DFB50242375C4308AD4657B2872F4F75A077,IMPHASH=968239BE2020F1C0DAFFDCDBD49E9C82{F81F30E6-F648-62DF-F005-000000006F02}11344C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" " 10341000x8000000000000000284095Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.968{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F648-62DF-0106-000000006F02}11876C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284094Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.968{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-F648-62DF-FE05-000000006F02}11740C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284093Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.968{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F648-62DF-ED05-000000006F02}492C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284092Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.968{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F648-62DF-F705-000000006F02}11524C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284091Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.968{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284090Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.968{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284089Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.968{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284088Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.968{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284087Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.952{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F648-62DF-EE05-000000006F02}11276C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284086Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.952{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F648-62DF-EE05-000000006F02}11276C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284085Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.952{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F648-62DF-EE05-000000006F02}11276C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284084Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.952{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F648-62DF-EE05-000000006F02}11276C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284083Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.952{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F648-62DF-FA05-000000006F02}11600C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284082Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.952{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F648-62DF-EA05-000000006F02}11032C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284081Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.936{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F648-62DF-E205-000000006F02}5896C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284080Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.936{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F648-62DF-FD05-000000006F02}11692C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284079Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.936{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F648-62DF-E205-000000006F02}5896C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284078Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.936{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F648-62DF-FD05-000000006F02}11692C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284077Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.936{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F648-62DF-E205-000000006F02}5896C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284076Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.936{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F648-62DF-FD05-000000006F02}11692C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284075Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.936{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F648-62DF-FD05-000000006F02}11692C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284074Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.936{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F648-62DF-E205-000000006F02}5896C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284073Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.936{F81F30E6-D97C-62DF-1500-000000006F02}12281712C:\Windows\System32\svchost.exe{F81F30E6-F648-62DF-0006-000000006F02}11832C:\Windows\system32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284072Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.921{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F648-62DF-0006-000000006F02}11832C:\Windows\system32\notepad.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284071Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.921{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F648-62DF-F705-000000006F02}11524C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284070Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.921{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284069Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.921{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284068Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.921{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284067Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.921{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284066Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.905{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-F648-62DF-FB05-000000006F02}11636C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284065Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.899{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F648-62DF-ED05-000000006F02}492C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284064Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.899{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F648-62DF-ED05-000000006F02}492C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284063Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.899{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F648-62DF-ED05-000000006F02}492C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284062Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.883{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F648-62DF-ED05-000000006F02}492C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284061Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.883{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284060Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.883{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284059Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.883{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284058Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.883{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284057Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.883{F81F30E6-D9BA-62DF-8100-000000006F02}388811560C:\Windows\system32\csrss.exe{F81F30E6-F648-62DF-0006-000000006F02}11832C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000284056Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.883{F81F30E6-F648-62DF-EE05-000000006F02}1127611280C:\Windows\system32\cmd.exe{F81F30E6-F648-62DF-0006-000000006F02}11832C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8564|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000284055Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.894{F81F30E6-F648-62DF-0006-000000006F02}11832C:\Windows\System32\notepad.exe10.0.14393.4169 (rs1_release.210107-1130)NotepadMicrosoft® Windows® Operating SystemMicrosoft CorporationNOTEPAD.EXEnotepad.exe C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=BA78FCF8CA9D806C6C047357E31748DE,SHA256=34A07759492E31AEC2A009505FE8DFB50242375C4308AD4657B2872F4F75A077,IMPHASH=968239BE2020F1C0DAFFDCDBD49E9C82{F81F30E6-F648-62DF-EE05-000000006F02}11276C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" " 10341000x8000000000000000284054Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.883{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F648-62DF-0006-000000006F02}11832C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284053Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.868{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F648-62DF-FA05-000000006F02}11600C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284052Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.868{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F648-62DF-FA05-000000006F02}11600C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284051Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.868{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F648-62DF-FA05-000000006F02}11600C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284050Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.868{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F648-62DF-FA05-000000006F02}11600C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284049Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.852{F81F30E6-D97C-62DF-1500-000000006F02}12281712C:\Windows\System32\svchost.exe{F81F30E6-F648-62DF-FF05-000000006F02}11800C:\Windows\system32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284048Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.852{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F648-62DF-FF05-000000006F02}11800C:\Windows\system32\notepad.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284047Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.852{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F648-62DF-F405-000000006F02}11440C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284046Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.821{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284045Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.821{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284044Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.821{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284043Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.821{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284042Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.821{F81F30E6-D9BA-62DF-8100-000000006F02}38882172C:\Windows\system32\csrss.exe{F81F30E6-F648-62DF-FF05-000000006F02}11800C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 23542300x8000000000000000284041Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.821{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FA572EC54B6E706509603EA3CB1879C8,SHA256=EED6061FA29DFD7B54F7C3BC6C9D7D880ECB5592A0BFF61A5B7DFDA89E3B4352,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000284040Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.821{F81F30E6-F648-62DF-EB05-000000006F02}97688648C:\Windows\system32\cmd.exe{F81F30E6-F648-62DF-FF05-000000006F02}11800C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8564|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000284039Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.826{F81F30E6-F648-62DF-FF05-000000006F02}11800C:\Windows\System32\notepad.exe10.0.14393.4169 (rs1_release.210107-1130)NotepadMicrosoft® Windows® Operating SystemMicrosoft CorporationNOTEPAD.EXEnotepad.exe C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=BA78FCF8CA9D806C6C047357E31748DE,SHA256=34A07759492E31AEC2A009505FE8DFB50242375C4308AD4657B2872F4F75A077,IMPHASH=968239BE2020F1C0DAFFDCDBD49E9C82{F81F30E6-F648-62DF-EB05-000000006F02}9768C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" " 10341000x8000000000000000284038Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.821{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F648-62DF-FF05-000000006F02}11800C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000284037Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.821{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85120F82C7BF823F3882CFBFF6BBE3A3,SHA256=5FBA7B17ADE9F8408503D56F6CEF99CBC5A344CF7F4F525CE06C4BFC32F70C2C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000284036Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.821{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F648-62DF-EB05-000000006F02}9768C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284035Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.821{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F648-62DF-EB05-000000006F02}9768C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284034Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.821{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F648-62DF-EB05-000000006F02}9768C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284033Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.821{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F648-62DF-EB05-000000006F02}9768C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284032Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.805{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F648-62DF-E705-000000006F02}1796C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284031Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.805{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F648-62DF-F405-000000006F02}11440C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284030Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.805{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-F648-62DF-F805-000000006F02}11552C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284029Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.799{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F648-62DF-EA05-000000006F02}11032C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284028Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.783{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F648-62DF-EA05-000000006F02}11032C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284027Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.783{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F648-62DF-EA05-000000006F02}11032C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284026Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.783{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F648-62DF-EA05-000000006F02}11032C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284025Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.783{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F648-62DF-F705-000000006F02}11524C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284024Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.783{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F648-62DF-F705-000000006F02}11524C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284023Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.783{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F648-62DF-F705-000000006F02}11524C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284022Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.783{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F648-62DF-F705-000000006F02}11524C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284021Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.752{F81F30E6-D97C-62DF-1500-000000006F02}12281712C:\Windows\System32\svchost.exe{F81F30E6-F648-62DF-FE05-000000006F02}11740C:\Windows\system32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284020Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.752{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F648-62DF-FE05-000000006F02}11740C:\Windows\system32\notepad.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284019Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.736{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F648-62DF-E705-000000006F02}1796C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284018Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.736{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F648-62DF-F105-000000006F02}11360C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000055138Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:12:24.755{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0DAF69F3EB9CB0F00DE5B71F9492496,SHA256=C55711223B9DDF2175BBD45D21D6A41448A484CA037FE0FF4A0D410355ABB2CB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000284017Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.705{F81F30E6-D97C-62DF-1500-000000006F02}12281712C:\Windows\System32\svchost.exe{F81F30E6-F648-62DF-FD05-000000006F02}11692C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284016Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.705{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F648-62DF-FD05-000000006F02}11692C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284015Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.705{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284014Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.705{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284013Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.705{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284012Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.705{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284011Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.705{F81F30E6-D9BA-62DF-8100-000000006F02}388811560C:\Windows\system32\csrss.exe{F81F30E6-F648-62DF-FE05-000000006F02}11740C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000284010Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.705{F81F30E6-F648-62DF-E805-000000006F02}10656308C:\Windows\system32\cmd.exe{F81F30E6-F648-62DF-FE05-000000006F02}11740C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8564|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000284009Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.716{F81F30E6-F648-62DF-FE05-000000006F02}11740C:\Windows\System32\notepad.exe10.0.14393.4169 (rs1_release.210107-1130)NotepadMicrosoft® Windows® Operating SystemMicrosoft CorporationNOTEPAD.EXEnotepad.exe C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=BA78FCF8CA9D806C6C047357E31748DE,SHA256=34A07759492E31AEC2A009505FE8DFB50242375C4308AD4657B2872F4F75A077,IMPHASH=968239BE2020F1C0DAFFDCDBD49E9C82{F81F30E6-F648-62DF-E805-000000006F02}10656C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" " 10341000x8000000000000000284008Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.705{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F648-62DF-FE05-000000006F02}11740C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284007Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.705{F81F30E6-F648-62DF-FD05-000000006F02}1169211716C:\Windows\system32\conhost.exe{F81F30E6-F648-62DF-FC05-000000006F02}11684C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284006Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.705{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-F648-62DF-F505-000000006F02}11452C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284005Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.704{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F648-62DF-F105-000000006F02}11360C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284004Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.697{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F648-62DF-F405-000000006F02}11440C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284003Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.696{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F648-62DF-F405-000000006F02}11440C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284002Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.696{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F648-62DF-F405-000000006F02}11440C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284001Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.696{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F648-62DF-F405-000000006F02}11440C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284000Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.680{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F647-62DF-DF05-000000006F02}2548C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283999Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.680{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F647-62DF-DF05-000000006F02}2548C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283998Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.680{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F647-62DF-DF05-000000006F02}2548C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283997Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.680{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F647-62DF-DF05-000000006F02}2548C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283996Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.665{F81F30E6-D9BA-62DF-8100-000000006F02}38884516C:\Windows\system32\csrss.exe{F81F30E6-F648-62DF-FD05-000000006F02}11692C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000283995Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.665{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F648-62DF-FD05-000000006F02}11692C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000283994Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.665{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=051E91E3D62F2719C178273E8E354D3F,SHA256=D1D97360C693AC6423AB46B3FEEE0FCFF6CDEABFD58DA6984F14C509E4F09880,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000283993Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.665{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283992Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.665{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283991Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.665{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283990Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.665{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283989Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.665{F81F30E6-D9BA-62DF-8100-000000006F02}388811560C:\Windows\system32\csrss.exe{F81F30E6-F648-62DF-FC05-000000006F02}11684C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000283988Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.665{F81F30E6-F163-62DF-1F04-000000006F02}226411652C:\Temp\dcrat.exe{F81F30E6-F648-62DF-FC05-000000006F02}11684C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\System32\windows.storage.dll+16e7eb|C:\Windows\System32\windows.storage.dll+16e501|C:\Windows\System32\windows.storage.dll+16e14e|C:\Windows\System32\windows.storage.dll+16f3f0|C:\Windows\System32\windows.storage.dll+16de9e|C:\Windows\System32\windows.storage.dll+fce6d|C:\Windows\System32\windows.storage.dll+fd5ac|C:\Windows\System32\windows.storage.dll+fc910|C:\Windows\System32\shell32.dll+49cdf|C:\Windows\System32\shell32.dll+49b6c|C:\Windows\System32\shell32.dll+498bc|C:\Windows\System32\shell32.dll+10d2c7|C:\Windows\System32\shell32.dll+10d225|UNKNOWN(00007FF984B29B5F) 154100x8000000000000000283987Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.664{F81F30E6-F648-62DF-FC05-000000006F02}11684C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" "C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe"C:\Temp\dcrat.exe" 10341000x8000000000000000283986Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.649{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F648-62DF-FC05-000000006F02}11684C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283985Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.649{F81F30E6-D97C-62DF-1500-000000006F02}12281712C:\Windows\System32\svchost.exe{F81F30E6-F648-62DF-FB05-000000006F02}11636C:\Windows\system32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283984Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.649{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F648-62DF-FB05-000000006F02}11636C:\Windows\system32\notepad.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283983Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.649{F81F30E6-DE12-62DF-7B01-000000006F02}62606312C:\Users\Administrator\Downloads\dnSpy.exe{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00007FF972E3853B) 10341000x8000000000000000283982Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.633{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F648-62DF-E705-000000006F02}1796C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283981Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.633{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F648-62DF-EF05-000000006F02}11288C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283980Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.633{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F648-62DF-E705-000000006F02}1796C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283979Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.633{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F648-62DF-E705-000000006F02}1796C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283978Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.633{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F648-62DF-E705-000000006F02}1796C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283977Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.633{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F648-62DF-E805-000000006F02}10656C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283976Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.633{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F648-62DF-E805-000000006F02}10656C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283975Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.633{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F648-62DF-E805-000000006F02}10656C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283974Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.633{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F648-62DF-E805-000000006F02}10656C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283973Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.618{F81F30E6-D97C-62DF-1500-000000006F02}12281712C:\Windows\System32\svchost.exe{F81F30E6-F648-62DF-FA05-000000006F02}11600C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283972Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.618{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F648-62DF-FA05-000000006F02}11600C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283971Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.602{F81F30E6-F648-62DF-FA05-000000006F02}1160011656C:\Windows\system32\conhost.exe{F81F30E6-F648-62DF-F905-000000006F02}11588C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283970Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.602{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283969Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.602{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283968Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.602{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283967Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.602{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283966Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.602{F81F30E6-D9BA-62DF-8100-000000006F02}38884056C:\Windows\system32\csrss.exe{F81F30E6-F648-62DF-FB05-000000006F02}11636C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000283965Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.602{F81F30E6-F648-62DF-E505-000000006F02}107768244C:\Windows\system32\cmd.exe{F81F30E6-F648-62DF-FB05-000000006F02}11636C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8564|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000283964Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.605{F81F30E6-F648-62DF-FB05-000000006F02}11636C:\Windows\System32\notepad.exe10.0.14393.4169 (rs1_release.210107-1130)NotepadMicrosoft® Windows® Operating SystemMicrosoft CorporationNOTEPAD.EXEnotepad.exe C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=BA78FCF8CA9D806C6C047357E31748DE,SHA256=34A07759492E31AEC2A009505FE8DFB50242375C4308AD4657B2872F4F75A077,IMPHASH=968239BE2020F1C0DAFFDCDBD49E9C82{F81F30E6-F648-62DF-E505-000000006F02}10776C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" " 10341000x8000000000000000283963Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.602{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-F648-62DF-F205-000000006F02}11368C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283962Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.602{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F648-62DF-FB05-000000006F02}11636C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283961Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.601{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F648-62DF-EF05-000000006F02}11288C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283960Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.580{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F648-62DF-F105-000000006F02}11360C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283959Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.580{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F648-62DF-F105-000000006F02}11360C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283958Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.580{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F648-62DF-F105-000000006F02}11360C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283957Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.580{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F648-62DF-F105-000000006F02}11360C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283956Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.580{F81F30E6-D9BA-62DF-8100-000000006F02}38884516C:\Windows\system32\csrss.exe{F81F30E6-F648-62DF-FA05-000000006F02}11600C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000283955Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.580{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F648-62DF-FA05-000000006F02}11600C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283954Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.580{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F648-62DF-E205-000000006F02}5896C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283953Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.565{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283952Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.565{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283951Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.565{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283950Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.565{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283949Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.565{F81F30E6-D9BA-62DF-8100-000000006F02}38882172C:\Windows\system32\csrss.exe{F81F30E6-F648-62DF-F905-000000006F02}11588C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000283948Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.565{F81F30E6-F163-62DF-1F04-000000006F02}226411564C:\Temp\dcrat.exe{F81F30E6-F648-62DF-F905-000000006F02}11588C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\System32\windows.storage.dll+16e7eb|C:\Windows\System32\windows.storage.dll+16e501|C:\Windows\System32\windows.storage.dll+16e14e|C:\Windows\System32\windows.storage.dll+16f3f0|C:\Windows\System32\windows.storage.dll+16de9e|C:\Windows\System32\windows.storage.dll+fce6d|C:\Windows\System32\windows.storage.dll+fd5ac|C:\Windows\System32\windows.storage.dll+fc910|C:\Windows\System32\shell32.dll+49cdf|C:\Windows\System32\shell32.dll+49b6c|C:\Windows\System32\shell32.dll+498bc|C:\Windows\System32\shell32.dll+10d2c7|C:\Windows\System32\shell32.dll+10d225|UNKNOWN(00007FF984B29B5F) 154100x8000000000000000283947Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.579{F81F30E6-F648-62DF-F905-000000006F02}11588C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" "C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe"C:\Temp\dcrat.exe" 10341000x8000000000000000283946Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.565{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F648-62DF-F905-000000006F02}11588C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283945Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.565{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F648-62DF-EC05-000000006F02}11084C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283944Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.549{F81F30E6-D97C-62DF-1500-000000006F02}12281712C:\Windows\System32\svchost.exe{F81F30E6-F648-62DF-F805-000000006F02}11552C:\Windows\system32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283943Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.549{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F648-62DF-F805-000000006F02}11552C:\Windows\system32\notepad.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283942Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.549{F81F30E6-D97C-62DF-1500-000000006F02}12281712C:\Windows\System32\svchost.exe{F81F30E6-F648-62DF-F705-000000006F02}11524C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283941Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.549{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F648-62DF-F705-000000006F02}11524C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283940Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.533{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F648-62DF-E205-000000006F02}5896C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283939Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.533{F81F30E6-F648-62DF-F705-000000006F02}1152411580C:\Windows\system32\conhost.exe{F81F30E6-F648-62DF-F605-000000006F02}11512C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000283938Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.533{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F3E96CC4CF8846D798635A9765C86AD,SHA256=07B370E258333457BF1CE50BC6800DD1041590AB7D9C2978DFADC70538A95B15,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000283937Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.518{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F648-62DF-EC05-000000006F02}11084C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283936Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.518{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283935Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.518{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283934Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.518{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283933Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.518{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283932Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.518{F81F30E6-D9BA-62DF-8100-000000006F02}38882172C:\Windows\system32\csrss.exe{F81F30E6-F648-62DF-F805-000000006F02}11552C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000283931Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.518{F81F30E6-F648-62DF-E305-000000006F02}665210772C:\Windows\system32\cmd.exe{F81F30E6-F648-62DF-F805-000000006F02}11552C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8564|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000283930Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.523{F81F30E6-F648-62DF-F805-000000006F02}11552C:\Windows\System32\notepad.exe10.0.14393.4169 (rs1_release.210107-1130)NotepadMicrosoft® Windows® Operating SystemMicrosoft CorporationNOTEPAD.EXEnotepad.exe C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=BA78FCF8CA9D806C6C047357E31748DE,SHA256=34A07759492E31AEC2A009505FE8DFB50242375C4308AD4657B2872F4F75A077,IMPHASH=968239BE2020F1C0DAFFDCDBD49E9C82{F81F30E6-F648-62DF-E305-000000006F02}6652C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" " 10341000x8000000000000000283929Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.518{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F648-62DF-F805-000000006F02}11552C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283928Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.502{F81F30E6-D9BA-62DF-8100-000000006F02}38884516C:\Windows\system32\csrss.exe{F81F30E6-F648-62DF-F705-000000006F02}11524C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000283927Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.502{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F647-62DF-DF05-000000006F02}2548C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283926Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.502{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F648-62DF-F705-000000006F02}11524C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283925Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.502{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F648-62DF-EF05-000000006F02}11288C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283924Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.502{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F648-62DF-EF05-000000006F02}11288C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283923Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.502{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F648-62DF-EF05-000000006F02}11288C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283922Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.502{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F648-62DF-EF05-000000006F02}11288C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283921Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.502{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283920Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.502{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283919Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.502{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283918Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.502{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283917Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.502{F81F30E6-D9BA-62DF-8100-000000006F02}38882172C:\Windows\system32\csrss.exe{F81F30E6-F648-62DF-F605-000000006F02}11512C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000283916Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.502{F81F30E6-F163-62DF-1F04-000000006F02}226411484C:\Temp\dcrat.exe{F81F30E6-F648-62DF-F605-000000006F02}11512C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\System32\windows.storage.dll+16e7eb|C:\Windows\System32\windows.storage.dll+16e501|C:\Windows\System32\windows.storage.dll+16e14e|C:\Windows\System32\windows.storage.dll+16f3f0|C:\Windows\System32\windows.storage.dll+16de9e|C:\Windows\System32\windows.storage.dll+fce6d|C:\Windows\System32\windows.storage.dll+fd5ac|C:\Windows\System32\windows.storage.dll+fc910|C:\Windows\System32\shell32.dll+49cdf|C:\Windows\System32\shell32.dll+49b6c|C:\Windows\System32\shell32.dll+498bc|C:\Windows\System32\shell32.dll+10d2c7|C:\Windows\System32\shell32.dll+10d225|UNKNOWN(00007FF984B29B5F) 154100x8000000000000000283915Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.507{F81F30E6-F648-62DF-F605-000000006F02}11512C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" "C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe"C:\Temp\dcrat.exe" 10341000x8000000000000000283914Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.502{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F648-62DF-F605-000000006F02}11512C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283913Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.480{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-F648-62DF-ED05-000000006F02}492C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283912Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.480{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F648-62DF-E905-000000006F02}6024C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283911Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.480{F81F30E6-D97C-62DF-1500-000000006F02}12281712C:\Windows\System32\svchost.exe{F81F30E6-F648-62DF-F505-000000006F02}11452C:\Windows\system32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283910Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.480{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F648-62DF-F505-000000006F02}11452C:\Windows\system32\notepad.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283909Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.480{F81F30E6-D97C-62DF-1500-000000006F02}12281712C:\Windows\System32\svchost.exe{F81F30E6-F648-62DF-F405-000000006F02}11440C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283908Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.480{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F648-62DF-F405-000000006F02}11440C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283907Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.480{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F647-62DF-DF05-000000006F02}2548C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283906Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.465{F81F30E6-F648-62DF-F405-000000006F02}1144011488C:\Windows\system32\conhost.exe{F81F30E6-F648-62DF-F305-000000006F02}11428C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283905Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.465{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F648-62DF-E205-000000006F02}5896C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283904Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.465{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F648-62DF-E205-000000006F02}5896C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283903Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.465{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F648-62DF-E205-000000006F02}5896C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283902Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.465{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F648-62DF-E205-000000006F02}5896C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283901Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.449{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F648-62DF-E905-000000006F02}6024C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283900Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.434{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283899Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.434{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283898Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.434{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283897Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.434{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283896Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.434{F81F30E6-D9BA-62DF-8100-000000006F02}38884516C:\Windows\system32\csrss.exe{F81F30E6-F648-62DF-F505-000000006F02}11452C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000283895Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.434{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F648-62DF-EC05-000000006F02}11084C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283894Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.434{F81F30E6-F648-62DF-E005-000000006F02}8588348C:\Windows\system32\cmd.exe{F81F30E6-F648-62DF-F505-000000006F02}11452C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8564|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283893Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.434{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F648-62DF-EC05-000000006F02}11084C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000283892Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.447{F81F30E6-F648-62DF-F505-000000006F02}11452C:\Windows\System32\notepad.exe10.0.14393.4169 (rs1_release.210107-1130)NotepadMicrosoft® Windows® Operating SystemMicrosoft CorporationNOTEPAD.EXEnotepad.exe C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=BA78FCF8CA9D806C6C047357E31748DE,SHA256=34A07759492E31AEC2A009505FE8DFB50242375C4308AD4657B2872F4F75A077,IMPHASH=968239BE2020F1C0DAFFDCDBD49E9C82{F81F30E6-F648-62DF-E005-000000006F02}8588C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" " 10341000x8000000000000000283891Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.434{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F648-62DF-EC05-000000006F02}11084C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283890Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.434{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F648-62DF-EC05-000000006F02}11084C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283889Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.434{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F648-62DF-F505-000000006F02}11452C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283888Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.434{F81F30E6-D9BA-62DF-8100-000000006F02}38884056C:\Windows\system32\csrss.exe{F81F30E6-F648-62DF-F405-000000006F02}11440C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000283887Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.434{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F648-62DF-F405-000000006F02}11440C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283886Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.434{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F648-62DF-E505-000000006F02}10776C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283885Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.434{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F648-62DF-E505-000000006F02}10776C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283884Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.434{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F648-62DF-E505-000000006F02}10776C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283883Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.434{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283882Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.434{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283881Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.434{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F648-62DF-E505-000000006F02}10776C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283880Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.434{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283879Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.434{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283878Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.434{F81F30E6-D9BA-62DF-8100-000000006F02}38884056C:\Windows\system32\csrss.exe{F81F30E6-F648-62DF-F305-000000006F02}11428C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000283877Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.434{F81F30E6-F163-62DF-1F04-000000006F02}226411400C:\Temp\dcrat.exe{F81F30E6-F648-62DF-F305-000000006F02}11428C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\System32\windows.storage.dll+16e7eb|C:\Windows\System32\windows.storage.dll+16e501|C:\Windows\System32\windows.storage.dll+16e14e|C:\Windows\System32\windows.storage.dll+16f3f0|C:\Windows\System32\windows.storage.dll+16de9e|C:\Windows\System32\windows.storage.dll+fce6d|C:\Windows\System32\windows.storage.dll+fd5ac|C:\Windows\System32\windows.storage.dll+fc910|C:\Windows\System32\shell32.dll+49cdf|C:\Windows\System32\shell32.dll+49b6c|C:\Windows\System32\shell32.dll+498bc|C:\Windows\System32\shell32.dll+10d2c7|C:\Windows\System32\shell32.dll+10d225|UNKNOWN(00007FF984B29B5F) 154100x8000000000000000283876Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.439{F81F30E6-F648-62DF-F305-000000006F02}11428C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" "C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe"C:\Temp\dcrat.exe" 10341000x8000000000000000283875Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.434{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F648-62DF-F305-000000006F02}11428C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283874Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.418{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-F648-62DF-EA05-000000006F02}11032C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283873Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.402{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F648-62DF-E605-000000006F02}5584C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283872Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.402{F81F30E6-D97C-62DF-1500-000000006F02}12281712C:\Windows\System32\svchost.exe{F81F30E6-F648-62DF-F205-000000006F02}11368C:\Windows\system32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283871Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.402{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F648-62DF-F205-000000006F02}11368C:\Windows\system32\notepad.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283870Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.402{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F647-62DF-DA05-000000006F02}9144C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283869Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.402{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F647-62DF-DA05-000000006F02}9144C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283868Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.402{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F647-62DF-DA05-000000006F02}9144C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283867Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.402{F81F30E6-D97C-62DF-1500-000000006F02}12281712C:\Windows\System32\svchost.exe{F81F30E6-F648-62DF-F105-000000006F02}11360C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283866Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.402{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F647-62DF-DA05-000000006F02}9144C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283865Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.402{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F648-62DF-F105-000000006F02}11360C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283864Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.402{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F647-62DF-DF05-000000006F02}2548C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283863Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.402{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F647-62DF-DF05-000000006F02}2548C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283862Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.402{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F647-62DF-DF05-000000006F02}2548C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283861Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.402{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F647-62DF-DF05-000000006F02}2548C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000283860Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.398{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89029A1403AABF585F8A5715838B0D74,SHA256=5394613961C242B87D0AE29648F365A59C4E06B39898857A520E4695BE879521,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000283859Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.396{F81F30E6-F648-62DF-F105-000000006F02}1136011404C:\Windows\system32\conhost.exe{F81F30E6-F648-62DF-F005-000000006F02}11344C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283858Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.365{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F648-62DF-E605-000000006F02}5584C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283857Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.365{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F648-62DF-E905-000000006F02}6024C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283856Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.365{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F648-62DF-E905-000000006F02}6024C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283855Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.365{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F648-62DF-E905-000000006F02}6024C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283854Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.365{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F648-62DF-E905-000000006F02}6024C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283853Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.365{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283852Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.365{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283851Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.365{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283850Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.365{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283849Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.365{F81F30E6-D9BA-62DF-8100-000000006F02}38884056C:\Windows\system32\csrss.exe{F81F30E6-F648-62DF-F105-000000006F02}11360C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000283848Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.365{F81F30E6-D9BA-62DF-8100-000000006F02}38882172C:\Windows\system32\csrss.exe{F81F30E6-F648-62DF-F205-000000006F02}11368C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000283847Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.365{F81F30E6-F647-62DF-DD05-000000006F02}73769856C:\Windows\system32\cmd.exe{F81F30E6-F648-62DF-F205-000000006F02}11368C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8564|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000283846Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.372{F81F30E6-F648-62DF-F205-000000006F02}11368C:\Windows\System32\notepad.exe10.0.14393.4169 (rs1_release.210107-1130)NotepadMicrosoft® Windows® Operating SystemMicrosoft CorporationNOTEPAD.EXEnotepad.exe C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=BA78FCF8CA9D806C6C047357E31748DE,SHA256=34A07759492E31AEC2A009505FE8DFB50242375C4308AD4657B2872F4F75A077,IMPHASH=968239BE2020F1C0DAFFDCDBD49E9C82{F81F30E6-F647-62DF-DD05-000000006F02}7376C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" " 10341000x8000000000000000283845Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.365{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F648-62DF-F205-000000006F02}11368C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283844Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.365{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F648-62DF-F105-000000006F02}11360C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283843Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.365{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283842Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.365{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283841Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.365{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283840Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.365{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283839Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.365{F81F30E6-D9BA-62DF-8100-000000006F02}38882172C:\Windows\system32\csrss.exe{F81F30E6-F648-62DF-F005-000000006F02}11344C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000283838Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.365{F81F30E6-F163-62DF-1F04-000000006F02}226411316C:\Temp\dcrat.exe{F81F30E6-F648-62DF-F005-000000006F02}11344C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\System32\windows.storage.dll+16e7eb|C:\Windows\System32\windows.storage.dll+16e501|C:\Windows\System32\windows.storage.dll+16e14e|C:\Windows\System32\windows.storage.dll+16f3f0|C:\Windows\System32\windows.storage.dll+16de9e|C:\Windows\System32\windows.storage.dll+fce6d|C:\Windows\System32\windows.storage.dll+fd5ac|C:\Windows\System32\windows.storage.dll+fc910|C:\Windows\System32\shell32.dll+49cdf|C:\Windows\System32\shell32.dll+49b6c|C:\Windows\System32\shell32.dll+498bc|C:\Windows\System32\shell32.dll+10d2c7|C:\Windows\System32\shell32.dll+10d225|UNKNOWN(00007FF984B29B5F) 154100x8000000000000000283837Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.366{F81F30E6-F648-62DF-F005-000000006F02}11344C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" "C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe"C:\Temp\dcrat.exe" 10341000x8000000000000000283836Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.365{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F648-62DF-F005-000000006F02}11344C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283835Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.349{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F648-62DF-E305-000000006F02}6652C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283834Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.349{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F648-62DF-E305-000000006F02}6652C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283833Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.349{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F648-62DF-E305-000000006F02}6652C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283832Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.349{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F648-62DF-E305-000000006F02}6652C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283831Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.349{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F647-62DF-DA05-000000006F02}9144C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283830Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.334{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F648-62DF-E405-000000006F02}10712C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283829Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.334{F81F30E6-D97C-62DF-1500-000000006F02}12281712C:\Windows\System32\svchost.exe{F81F30E6-F648-62DF-EF05-000000006F02}11288C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283828Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.334{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F648-62DF-EF05-000000006F02}11288C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283827Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.318{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F648-62DF-E005-000000006F02}8588C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283826Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.318{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F648-62DF-E005-000000006F02}8588C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283825Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.318{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F648-62DF-E005-000000006F02}8588C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283824Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.318{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F648-62DF-E005-000000006F02}8588C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283823Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.318{F81F30E6-F648-62DF-EF05-000000006F02}1128811324C:\Windows\system32\conhost.exe{F81F30E6-F648-62DF-EE05-000000006F02}11276C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283822Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.318{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-F648-62DF-E705-000000006F02}1796C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283821Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.318{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F647-62DF-DA05-000000006F02}9144C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283820Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.318{F81F30E6-D97C-62DF-1500-000000006F02}12281712C:\Windows\System32\svchost.exe{F81F30E6-F648-62DF-ED05-000000006F02}492C:\Windows\system32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283819Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.318{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F648-62DF-ED05-000000006F02}492C:\Windows\system32\notepad.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283818Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.302{F81F30E6-D9BA-62DF-8100-000000006F02}38884516C:\Windows\system32\csrss.exe{F81F30E6-F648-62DF-EF05-000000006F02}11288C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000283817Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.302{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F648-62DF-E405-000000006F02}10712C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283816Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.302{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F648-62DF-EF05-000000006F02}11288C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283815Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.302{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283814Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.302{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283813Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.302{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283812Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.302{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283811Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.302{F81F30E6-D9BA-62DF-8100-000000006F02}38884516C:\Windows\system32\csrss.exe{F81F30E6-F648-62DF-EE05-000000006F02}11276C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000283810Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.302{F81F30E6-F163-62DF-1F04-000000006F02}22649448C:\Temp\dcrat.exe{F81F30E6-F648-62DF-EE05-000000006F02}11276C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\System32\windows.storage.dll+16e7eb|C:\Windows\System32\windows.storage.dll+16e501|C:\Windows\System32\windows.storage.dll+16e14e|C:\Windows\System32\windows.storage.dll+16f3f0|C:\Windows\System32\windows.storage.dll+16de9e|C:\Windows\System32\windows.storage.dll+fce6d|C:\Windows\System32\windows.storage.dll+fd5ac|C:\Windows\System32\windows.storage.dll+fc910|C:\Windows\System32\shell32.dll+49cdf|C:\Windows\System32\shell32.dll+49b6c|C:\Windows\System32\shell32.dll+498bc|C:\Windows\System32\shell32.dll+10d2c7|C:\Windows\System32\shell32.dll+10d225|UNKNOWN(00007FF984B29B5F) 154100x8000000000000000283809Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.301{F81F30E6-F648-62DF-EE05-000000006F02}11276C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" "C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe"C:\Temp\dcrat.exe" 10341000x8000000000000000283808Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.301{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F648-62DF-EE05-000000006F02}11276C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283807Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.298{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F648-62DF-E605-000000006F02}5584C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283806Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.298{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F648-62DF-E605-000000006F02}5584C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283805Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.298{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F648-62DF-E605-000000006F02}5584C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283804Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.298{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F648-62DF-E605-000000006F02}5584C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283803Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.281{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283802Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.281{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283801Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.281{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283800Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.281{F81F30E6-D9BA-62DF-8100-000000006F02}38882172C:\Windows\system32\csrss.exe{F81F30E6-F648-62DF-ED05-000000006F02}492C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000283799Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.281{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283798Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.281{F81F30E6-F647-62DF-DB05-000000006F02}104009060C:\Windows\system32\cmd.exe{F81F30E6-F648-62DF-ED05-000000006F02}492C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8564|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000283797Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.284{F81F30E6-F648-62DF-ED05-000000006F02}492C:\Windows\System32\notepad.exe10.0.14393.4169 (rs1_release.210107-1130)NotepadMicrosoft® Windows® Operating SystemMicrosoft CorporationNOTEPAD.EXEnotepad.exe C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=BA78FCF8CA9D806C6C047357E31748DE,SHA256=34A07759492E31AEC2A009505FE8DFB50242375C4308AD4657B2872F4F75A077,IMPHASH=968239BE2020F1C0DAFFDCDBD49E9C82{F81F30E6-F647-62DF-DB05-000000006F02}10400C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" " 10341000x8000000000000000283796Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.281{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F648-62DF-ED05-000000006F02}492C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283795Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.265{F81F30E6-D97C-62DF-1500-000000006F02}12281712C:\Windows\System32\svchost.exe{F81F30E6-F648-62DF-EC05-000000006F02}11084C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283794Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.265{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F648-62DF-EC05-000000006F02}11084C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283793Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.265{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F648-62DF-E105-000000006F02}8680C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283792Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.250{F81F30E6-F648-62DF-EC05-000000006F02}110846740C:\Windows\system32\conhost.exe{F81F30E6-F648-62DF-EB05-000000006F02}9768C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283791Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.250{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F647-62DF-DA05-000000006F02}9144C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283790Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.250{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F647-62DF-DA05-000000006F02}9144C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283789Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.250{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F647-62DF-DA05-000000006F02}9144C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283788Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.250{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F647-62DF-DA05-000000006F02}9144C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000283787Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.234{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31791B18C6771BD7903915C49B66368F,SHA256=045D52F3289EA555464967B9AC3F4146379886B6860B31DC0DDBDEFD7C07F0BF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000283786Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.234{F81F30E6-D9BA-62DF-8100-000000006F02}38882172C:\Windows\system32\csrss.exe{F81F30E6-F648-62DF-EC05-000000006F02}11084C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000283785Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.234{F81F30E6-D97C-62DF-1500-000000006F02}12281712C:\Windows\System32\svchost.exe{F81F30E6-F648-62DF-EA05-000000006F02}11032C:\Windows\system32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283784Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.234{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F648-62DF-EA05-000000006F02}11032C:\Windows\system32\notepad.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283783Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.234{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F648-62DF-EC05-000000006F02}11084C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283782Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.218{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283781Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.218{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283780Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.218{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F648-62DF-E105-000000006F02}8680C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283779Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.218{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283778Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.218{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283777Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.218{F81F30E6-D9BA-62DF-8100-000000006F02}38884056C:\Windows\system32\csrss.exe{F81F30E6-F648-62DF-EB05-000000006F02}9768C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000283776Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.218{F81F30E6-F163-62DF-1F04-000000006F02}22649516C:\Temp\dcrat.exe{F81F30E6-F648-62DF-EB05-000000006F02}9768C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\System32\windows.storage.dll+16e7eb|C:\Windows\System32\windows.storage.dll+16e501|C:\Windows\System32\windows.storage.dll+16e14e|C:\Windows\System32\windows.storage.dll+16f3f0|C:\Windows\System32\windows.storage.dll+16de9e|C:\Windows\System32\windows.storage.dll+fce6d|C:\Windows\System32\windows.storage.dll+fd5ac|C:\Windows\System32\windows.storage.dll+fc910|C:\Windows\System32\shell32.dll+49cdf|C:\Windows\System32\shell32.dll+49b6c|C:\Windows\System32\shell32.dll+498bc|C:\Windows\System32\shell32.dll+10d2c7|C:\Windows\System32\shell32.dll+10d225|UNKNOWN(00007FF984B29B5F) 154100x8000000000000000283775Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.231{F81F30E6-F648-62DF-EB05-000000006F02}9768C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" "C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe"C:\Temp\dcrat.exe" 10341000x8000000000000000283774Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.218{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F648-62DF-EB05-000000006F02}9768C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283773Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.218{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F648-62DF-E405-000000006F02}10712C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283772Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.218{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F648-62DF-E405-000000006F02}10712C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283771Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.218{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F648-62DF-E405-000000006F02}10712C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283770Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.218{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F648-62DF-E405-000000006F02}10712C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283769Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.203{F81F30E6-D97C-62DF-1500-000000006F02}12281712C:\Windows\System32\svchost.exe{F81F30E6-F648-62DF-E905-000000006F02}6024C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283768Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.203{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F648-62DF-E905-000000006F02}6024C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000283767Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.202{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AFF9214601C0C7DB381DD1F1CD977559,SHA256=579C098FCE55E9862A40EA92EFD9DD21F6C4883D4F5152131D5CEBAE3A93C6F2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000283766Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.181{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283765Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.181{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283764Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.181{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283763Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.181{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283762Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.181{F81F30E6-D9BA-62DF-8100-000000006F02}38884516C:\Windows\system32\csrss.exe{F81F30E6-F648-62DF-EA05-000000006F02}11032C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000283761Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.181{F81F30E6-F647-62DF-D805-000000006F02}98048240C:\Windows\system32\cmd.exe{F81F30E6-F648-62DF-EA05-000000006F02}11032C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8564|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000283760Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.193{F81F30E6-F648-62DF-EA05-000000006F02}11032C:\Windows\System32\notepad.exe10.0.14393.4169 (rs1_release.210107-1130)NotepadMicrosoft® Windows® Operating SystemMicrosoft CorporationNOTEPAD.EXEnotepad.exe C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=BA78FCF8CA9D806C6C047357E31748DE,SHA256=34A07759492E31AEC2A009505FE8DFB50242375C4308AD4657B2872F4F75A077,IMPHASH=968239BE2020F1C0DAFFDCDBD49E9C82{F81F30E6-F647-62DF-D805-000000006F02}9804C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" " 10341000x8000000000000000283759Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.181{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F648-62DF-EA05-000000006F02}11032C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283758Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.181{F81F30E6-F648-62DF-E905-000000006F02}602410068C:\Windows\system32\conhost.exe{F81F30E6-F648-62DF-E805-000000006F02}10656C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283757Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.181{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F647-62DF-DE05-000000006F02}9340C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000283756Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.181{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7981ACBCCDC3F1DD0BD65BB85735874E,SHA256=DC4022E0FBB74F45382A6AFA9912E5ED4FB553371FB2F83BC5A14A8DA14A3814,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000283755Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.165{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-F648-62DF-E205-000000006F02}5896C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283754Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.165{F81F30E6-D9BA-62DF-8100-000000006F02}38882172C:\Windows\system32\csrss.exe{F81F30E6-F648-62DF-E905-000000006F02}6024C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000283753Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.165{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F648-62DF-E905-000000006F02}6024C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283752Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.165{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283751Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.165{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283750Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.165{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283749Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.165{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283748Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.165{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F647-62DF-DE05-000000006F02}9340C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283747Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.165{F81F30E6-D9BA-62DF-8100-000000006F02}38884056C:\Windows\system32\csrss.exe{F81F30E6-F648-62DF-E805-000000006F02}10656C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000283746Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.165{F81F30E6-F163-62DF-1F04-000000006F02}226411252C:\Temp\dcrat.exe{F81F30E6-F648-62DF-E805-000000006F02}10656C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\System32\windows.storage.dll+16e7eb|C:\Windows\System32\windows.storage.dll+16e501|C:\Windows\System32\windows.storage.dll+16e14e|C:\Windows\System32\windows.storage.dll+16f3f0|C:\Windows\System32\windows.storage.dll+16de9e|C:\Windows\System32\windows.storage.dll+fce6d|C:\Windows\System32\windows.storage.dll+fd5ac|C:\Windows\System32\windows.storage.dll+fc910|C:\Windows\System32\shell32.dll+49cdf|C:\Windows\System32\shell32.dll+49b6c|C:\Windows\System32\shell32.dll+498bc|C:\Windows\System32\shell32.dll+10d2c7|C:\Windows\System32\shell32.dll+10d225|UNKNOWN(00007FF984B29B5F) 154100x8000000000000000283745Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.169{F81F30E6-F648-62DF-E805-000000006F02}10656C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" "C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe"C:\Temp\dcrat.exe" 10341000x8000000000000000283744Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.165{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F648-62DF-E805-000000006F02}10656C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283743Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.165{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F648-62DF-E105-000000006F02}8680C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283742Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.165{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F648-62DF-E105-000000006F02}8680C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283741Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.165{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F648-62DF-E105-000000006F02}8680C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283740Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.165{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F648-62DF-E105-000000006F02}8680C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283739Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.150{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F647-62DF-DD05-000000006F02}7376C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283738Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.150{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F647-62DF-DD05-000000006F02}7376C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283737Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.150{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F647-62DF-DD05-000000006F02}7376C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283736Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.150{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F647-62DF-DD05-000000006F02}7376C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283735Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.150{F81F30E6-D97C-62DF-1500-000000006F02}12281712C:\Windows\System32\svchost.exe{F81F30E6-F648-62DF-E705-000000006F02}1796C:\Windows\system32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283734Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.150{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F648-62DF-E705-000000006F02}1796C:\Windows\system32\notepad.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283733Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.134{F81F30E6-D97C-62DF-1500-000000006F02}12281712C:\Windows\System32\svchost.exe{F81F30E6-F648-62DF-E605-000000006F02}5584C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283732Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.134{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F648-62DF-E605-000000006F02}5584C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283731Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.118{F81F30E6-F648-62DF-E605-000000006F02}55846152C:\Windows\system32\conhost.exe{F81F30E6-F648-62DF-E505-000000006F02}10776C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283730Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.118{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-F647-62DF-DF05-000000006F02}2548C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283729Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.118{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F647-62DF-DC05-000000006F02}11220C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283728Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.118{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283727Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.118{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283726Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.118{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283725Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.118{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283724Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.118{F81F30E6-D9BA-62DF-8100-000000006F02}38884056C:\Windows\system32\csrss.exe{F81F30E6-F648-62DF-E705-000000006F02}1796C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000283723Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.118{F81F30E6-F647-62DF-D605-000000006F02}668410424C:\Windows\system32\cmd.exe{F81F30E6-F648-62DF-E705-000000006F02}1796C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8564|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000283722Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.121{F81F30E6-F648-62DF-E705-000000006F02}1796C:\Windows\System32\notepad.exe10.0.14393.4169 (rs1_release.210107-1130)NotepadMicrosoft® Windows® Operating SystemMicrosoft CorporationNOTEPAD.EXEnotepad.exe C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=BA78FCF8CA9D806C6C047357E31748DE,SHA256=34A07759492E31AEC2A009505FE8DFB50242375C4308AD4657B2872F4F75A077,IMPHASH=968239BE2020F1C0DAFFDCDBD49E9C82{F81F30E6-F647-62DF-D605-000000006F02}6684C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" " 10341000x8000000000000000283721Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.118{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F648-62DF-E705-000000006F02}1796C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283720Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.103{F81F30E6-D9BA-62DF-8100-000000006F02}38884516C:\Windows\system32\csrss.exe{F81F30E6-F648-62DF-E605-000000006F02}5584C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000283719Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.103{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F647-62DF-DB05-000000006F02}10400C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283718Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.103{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F647-62DF-DB05-000000006F02}10400C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283717Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.103{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F647-62DF-DB05-000000006F02}10400C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283716Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.103{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F648-62DF-E605-000000006F02}5584C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283715Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.103{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F647-62DF-DB05-000000006F02}10400C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283714Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.103{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283713Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.103{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283712Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.103{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283711Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.103{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283710Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.103{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F647-62DF-DE05-000000006F02}9340C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283709Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.103{F81F30E6-D9BA-62DF-8100-000000006F02}38882172C:\Windows\system32\csrss.exe{F81F30E6-F648-62DF-E505-000000006F02}10776C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000283708Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.103{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F647-62DF-DE05-000000006F02}9340C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283707Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.103{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F647-62DF-DE05-000000006F02}9340C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283706Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.103{F81F30E6-F163-62DF-1F04-000000006F02}22649984C:\Temp\dcrat.exe{F81F30E6-F648-62DF-E505-000000006F02}10776C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\System32\windows.storage.dll+16e7eb|C:\Windows\System32\windows.storage.dll+16e501|C:\Windows\System32\windows.storage.dll+16e14e|C:\Windows\System32\windows.storage.dll+16f3f0|C:\Windows\System32\windows.storage.dll+16de9e|C:\Windows\System32\windows.storage.dll+fce6d|C:\Windows\System32\windows.storage.dll+fd5ac|C:\Windows\System32\windows.storage.dll+fc910|C:\Windows\System32\shell32.dll+49cdf|C:\Windows\System32\shell32.dll+49b6c|C:\Windows\System32\shell32.dll+498bc|C:\Windows\System32\shell32.dll+10d2c7|C:\Windows\System32\shell32.dll+10d225|UNKNOWN(00007FF984B29B5F) 10341000x8000000000000000283705Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.103{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F647-62DF-DE05-000000006F02}9340C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000283704Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.110{F81F30E6-F648-62DF-E505-000000006F02}10776C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" "C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe"C:\Temp\dcrat.exe" 10341000x8000000000000000283703Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.103{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F648-62DF-E505-000000006F02}10776C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283702Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.103{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F647-62DF-DC05-000000006F02}11220C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283701Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.098{F81F30E6-D97C-62DF-1500-000000006F02}12281712C:\Windows\System32\svchost.exe{F81F30E6-F648-62DF-E405-000000006F02}10712C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283700Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.098{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F648-62DF-E405-000000006F02}10712C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283699Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.081{F81F30E6-F648-62DF-E405-000000006F02}107128708C:\Windows\system32\conhost.exe{F81F30E6-F648-62DF-E305-000000006F02}6652C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283698Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.065{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F647-62DF-D905-000000006F02}10412C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283697Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.065{F81F30E6-D9BA-62DF-8100-000000006F02}38884056C:\Windows\system32\csrss.exe{F81F30E6-F648-62DF-E405-000000006F02}10712C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000283696Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.065{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F648-62DF-E405-000000006F02}10712C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283695Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.065{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283694Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.065{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283693Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.065{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283692Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.065{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283691Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.065{F81F30E6-D9BA-62DF-8100-000000006F02}38884516C:\Windows\system32\csrss.exe{F81F30E6-F648-62DF-E305-000000006F02}6652C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000283690Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.065{F81F30E6-F163-62DF-1F04-000000006F02}22646920C:\Temp\dcrat.exe{F81F30E6-F648-62DF-E305-000000006F02}6652C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\System32\windows.storage.dll+16e7eb|C:\Windows\System32\windows.storage.dll+16e501|C:\Windows\System32\windows.storage.dll+16e14e|C:\Windows\System32\windows.storage.dll+16f3f0|C:\Windows\System32\windows.storage.dll+16de9e|C:\Windows\System32\windows.storage.dll+fce6d|C:\Windows\System32\windows.storage.dll+fd5ac|C:\Windows\System32\windows.storage.dll+fc910|C:\Windows\System32\shell32.dll+49cdf|C:\Windows\System32\shell32.dll+49b6c|C:\Windows\System32\shell32.dll+498bc|C:\Windows\System32\shell32.dll+10d2c7|C:\Windows\System32\shell32.dll+10d225|UNKNOWN(00007FF984B29B5F) 154100x8000000000000000283689Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.066{F81F30E6-F648-62DF-E305-000000006F02}6652C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" "C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe"C:\Temp\dcrat.exe" 10341000x8000000000000000283688Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.065{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F648-62DF-E305-000000006F02}6652C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283687Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.050{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F647-62DF-DC05-000000006F02}11220C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283686Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.050{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F647-62DF-DC05-000000006F02}11220C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283685Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.050{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F647-62DF-DC05-000000006F02}11220C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283684Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.050{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F647-62DF-DC05-000000006F02}11220C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283683Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.050{F81F30E6-D97C-62DF-1500-000000006F02}12281712C:\Windows\System32\svchost.exe{F81F30E6-F648-62DF-E205-000000006F02}5896C:\Windows\system32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283682Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.050{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F648-62DF-E205-000000006F02}5896C:\Windows\system32\notepad.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283681Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.050{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F647-62DF-D305-000000006F02}10492C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283680Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.034{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F647-62DF-D905-000000006F02}10412C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283679Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.034{F81F30E6-D97C-62DF-1500-000000006F02}12281712C:\Windows\System32\svchost.exe{F81F30E6-F648-62DF-E105-000000006F02}8680C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283678Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.034{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F648-62DF-E105-000000006F02}8680C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283677Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.034{F81F30E6-F648-62DF-E105-000000006F02}868010744C:\Windows\system32\conhost.exe{F81F30E6-F648-62DF-E005-000000006F02}8588C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283676Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.018{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-F647-62DF-DA05-000000006F02}9144C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283675Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.018{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F647-62DF-D305-000000006F02}10492C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283674Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.018{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283673Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.018{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283672Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.018{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283671Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.018{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283670Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.018{F81F30E6-D9BA-62DF-8100-000000006F02}38884516C:\Windows\system32\csrss.exe{F81F30E6-F648-62DF-E205-000000006F02}5896C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000283669Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.018{F81F30E6-F647-62DF-D405-000000006F02}635210884C:\Windows\system32\cmd.exe{F81F30E6-F648-62DF-E205-000000006F02}5896C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8564|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000283668Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.021{F81F30E6-F648-62DF-E205-000000006F02}5896C:\Windows\System32\notepad.exe10.0.14393.4169 (rs1_release.210107-1130)NotepadMicrosoft® Windows® Operating SystemMicrosoft CorporationNOTEPAD.EXEnotepad.exe C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=BA78FCF8CA9D806C6C047357E31748DE,SHA256=34A07759492E31AEC2A009505FE8DFB50242375C4308AD4657B2872F4F75A077,IMPHASH=968239BE2020F1C0DAFFDCDBD49E9C82{F81F30E6-F647-62DF-D405-000000006F02}6352C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" " 10341000x8000000000000000283667Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.018{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F648-62DF-E205-000000006F02}5896C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283666Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.003{F81F30E6-D9BA-62DF-8100-000000006F02}38882172C:\Windows\system32\csrss.exe{F81F30E6-F648-62DF-E105-000000006F02}8680C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000283665Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.003{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F648-62DF-E105-000000006F02}8680C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283664Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.003{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F647-62DF-D805-000000006F02}9804C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283663Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.003{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F647-62DF-D805-000000006F02}9804C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283662Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.003{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F647-62DF-D805-000000006F02}9804C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283661Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.003{F81F30E6-D97C-62DF-1500-000000006F02}12281712C:\Windows\System32\svchost.exe{F81F30E6-F647-62DF-DF05-000000006F02}2548C:\Windows\system32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283660Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.003{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F647-62DF-DF05-000000006F02}2548C:\Windows\system32\notepad.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283659Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.003{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F647-62DF-D805-000000006F02}9804C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283658Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.003{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283657Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.003{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283656Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.003{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283655Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.003{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283654Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.003{F81F30E6-D9BA-62DF-8100-000000006F02}38884056C:\Windows\system32\csrss.exe{F81F30E6-F648-62DF-E005-000000006F02}8588C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000283653Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.003{F81F30E6-F163-62DF-1F04-000000006F02}226410252C:\Temp\dcrat.exe{F81F30E6-F648-62DF-E005-000000006F02}8588C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\System32\windows.storage.dll+16e7eb|C:\Windows\System32\windows.storage.dll+16e501|C:\Windows\System32\windows.storage.dll+16e14e|C:\Windows\System32\windows.storage.dll+16f3f0|C:\Windows\System32\windows.storage.dll+16de9e|C:\Windows\System32\windows.storage.dll+fce6d|C:\Windows\System32\windows.storage.dll+fd5ac|C:\Windows\System32\windows.storage.dll+fc910|C:\Windows\System32\shell32.dll+49cdf|C:\Windows\System32\shell32.dll+49b6c|C:\Windows\System32\shell32.dll+498bc|C:\Windows\System32\shell32.dll+10d2c7|C:\Windows\System32\shell32.dll+10d225|UNKNOWN(00007FF984B29B5F) 154100x8000000000000000283652Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.010{F81F30E6-F648-62DF-E005-000000006F02}8588C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" "C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe"C:\Temp\dcrat.exe" 10341000x8000000000000000283651Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.003{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F648-62DF-E005-000000006F02}8588C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283650Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.003{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F647-62DF-D705-000000006F02}8296C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283649Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.003{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F647-62DF-D305-000000006F02}10492C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283648Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.003{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F647-62DF-D305-000000006F02}10492C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283647Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.003{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F647-62DF-D305-000000006F02}10492C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283646Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.003{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F647-62DF-D305-000000006F02}10492C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283645Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.001{F81F30E6-D97C-62DF-1500-000000006F02}12281712C:\Windows\System32\svchost.exe{F81F30E6-F647-62DF-DE05-000000006F02}9340C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283644Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.001{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F647-62DF-DE05-000000006F02}9340C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000284322Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:25.882{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=450E1B2189880E7BC35A99A91C123033,SHA256=BEFBC400CCE296F2F76A1B017E9F5A3FC780BD324F3D34C0B3FCBA443BAAEEE7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284321Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:25.867{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=694044654A19045F63006AD54E72C0B7,SHA256=0D0EAF813042382F397535D59B7EC5BCE709DD3B7A45E2EBCD67AA52116A5AC2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000284320Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:25.667{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-F649-62DF-0506-000000006F02}12056C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284319Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:25.667{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-F649-62DF-0506-000000006F02}12056C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284318Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:25.667{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-F649-62DF-0506-000000006F02}12056C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284317Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:25.667{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-F649-62DF-0506-000000006F02}12056C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284316Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:25.667{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F649-62DF-0506-000000006F02}12056C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284315Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:25.667{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F649-62DF-0506-000000006F02}12056C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284314Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:25.667{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F649-62DF-0506-000000006F02}12056C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284313Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:25.667{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F649-62DF-0506-000000006F02}12056C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284312Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:25.667{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F649-62DF-0406-000000006F02}12012C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284311Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:25.667{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F649-62DF-0406-000000006F02}12012C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284310Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:25.667{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F649-62DF-0406-000000006F02}12012C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284309Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:25.667{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F649-62DF-0406-000000006F02}12012C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284308Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:25.651{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F649-62DF-0306-000000006F02}11976C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284307Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:25.651{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F649-62DF-0306-000000006F02}11976C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284306Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:25.651{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F649-62DF-0306-000000006F02}11976C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284305Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:25.651{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F649-62DF-0306-000000006F02}11976C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284304Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:25.651{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F649-62DF-0206-000000006F02}11924C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284303Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:25.651{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F649-62DF-0206-000000006F02}11924C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284302Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:25.651{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F649-62DF-0206-000000006F02}11924C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284301Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:25.651{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F649-62DF-0206-000000006F02}11924C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284300Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:25.651{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F648-62DF-0106-000000006F02}11876C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284299Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:25.651{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F648-62DF-0106-000000006F02}11876C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284298Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:25.651{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F648-62DF-0106-000000006F02}11876C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284297Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:25.651{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F648-62DF-0106-000000006F02}11876C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284296Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:25.651{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F648-62DF-0006-000000006F02}11832C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284295Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:25.651{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F648-62DF-0006-000000006F02}11832C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284294Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:25.651{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F648-62DF-0006-000000006F02}11832C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284293Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:25.651{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F648-62DF-0006-000000006F02}11832C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284292Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:25.636{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F648-62DF-FF05-000000006F02}11800C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284291Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:25.636{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F648-62DF-FF05-000000006F02}11800C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284290Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:25.636{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F648-62DF-FF05-000000006F02}11800C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284289Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:25.636{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F648-62DF-FF05-000000006F02}11800C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284288Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:25.620{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F648-62DF-FE05-000000006F02}11740C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284287Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:25.620{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F648-62DF-FE05-000000006F02}11740C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284286Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:25.620{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F648-62DF-FE05-000000006F02}11740C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284285Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:25.620{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F648-62DF-FE05-000000006F02}11740C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284284Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:25.583{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F649-62DF-0506-000000006F02}12056C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284283Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:25.567{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F649-62DF-0506-000000006F02}12056C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284282Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:25.567{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F648-62DF-FB05-000000006F02}11636C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284281Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:25.567{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F648-62DF-FB05-000000006F02}11636C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284280Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:25.567{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F648-62DF-FB05-000000006F02}11636C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284279Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:25.567{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F649-62DF-0406-000000006F02}12012C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284278Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:25.567{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F648-62DF-FB05-000000006F02}11636C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284277Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:25.551{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F648-62DF-F805-000000006F02}11552C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284276Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:25.551{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F648-62DF-F805-000000006F02}11552C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284275Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:25.551{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F648-62DF-F805-000000006F02}11552C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284274Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:25.551{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F648-62DF-F805-000000006F02}11552C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284273Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:25.551{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F649-62DF-0406-000000006F02}12012C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284272Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:25.551{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F649-62DF-0306-000000006F02}11976C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284271Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:25.551{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F649-62DF-0506-000000006F02}12056C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284270Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:25.551{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F649-62DF-0506-000000006F02}12056C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284269Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:25.551{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F649-62DF-0506-000000006F02}12056C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284268Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:25.551{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F649-62DF-0506-000000006F02}12056C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284267Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:25.520{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F649-62DF-0306-000000006F02}11976C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284266Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:25.520{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F649-62DF-0406-000000006F02}12012C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284265Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:25.520{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F649-62DF-0406-000000006F02}12012C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284264Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:25.520{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F649-62DF-0406-000000006F02}12012C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284263Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:25.520{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F649-62DF-0406-000000006F02}12012C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000284262Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:25.520{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5765E67A30397630E9C1C8153BE32CB,SHA256=1AD59DB65BF20B440B1B87EAC559453D4FA9CBE8DF3FD50BCCAC8A8F0AF86BD4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000284261Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:25.504{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F649-62DF-0206-000000006F02}11924C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284260Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:25.501{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F649-62DF-0306-000000006F02}11976C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284259Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:25.500{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F649-62DF-0306-000000006F02}11976C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284258Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:25.500{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F649-62DF-0306-000000006F02}11976C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284257Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:25.500{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F649-62DF-0306-000000006F02}11976C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284256Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:25.483{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F649-62DF-0206-000000006F02}11924C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284255Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:25.483{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F648-62DF-F505-000000006F02}11452C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284254Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:25.483{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F648-62DF-F505-000000006F02}11452C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284253Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:25.483{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F648-62DF-F505-000000006F02}11452C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284252Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:25.483{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F648-62DF-F505-000000006F02}11452C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284251Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:25.467{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F648-62DF-0106-000000006F02}11876C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284250Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:25.452{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F648-62DF-0106-000000006F02}11876C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284249Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:25.452{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F649-62DF-0206-000000006F02}11924C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284248Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:25.452{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F649-62DF-0206-000000006F02}11924C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284247Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:25.452{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F649-62DF-0206-000000006F02}11924C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284246Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:25.452{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F649-62DF-0206-000000006F02}11924C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284245Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:25.436{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284244Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:25.436{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F648-62DF-F205-000000006F02}11368C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284243Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:25.436{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F648-62DF-F205-000000006F02}11368C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284242Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:25.436{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F648-62DF-F205-000000006F02}11368C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284241Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:25.436{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F648-62DF-F205-000000006F02}11368C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284240Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:25.420{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284239Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:25.420{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284238Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:25.420{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284237Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:25.420{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F648-62DF-0006-000000006F02}11832C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284236Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:25.405{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F648-62DF-0106-000000006F02}11876C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284235Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:25.405{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F648-62DF-0106-000000006F02}11876C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284234Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:25.405{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F648-62DF-0106-000000006F02}11876C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284233Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:25.405{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F648-62DF-0106-000000006F02}11876C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284232Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:25.401{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F648-62DF-0006-000000006F02}11832C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284231Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:25.383{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F648-62DF-FF05-000000006F02}11800C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284230Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:25.383{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-F649-62DF-0506-000000006F02}12056C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284229Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:25.367{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F648-62DF-FF05-000000006F02}11800C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284228Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:25.352{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F648-62DF-0006-000000006F02}11832C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284227Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:25.352{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F648-62DF-0006-000000006F02}11832C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284226Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:25.352{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F648-62DF-0006-000000006F02}11832C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284225Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:25.352{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F648-62DF-0006-000000006F02}11832C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284224Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:25.336{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-F649-62DF-0406-000000006F02}12012C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284223Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:25.336{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F648-62DF-FC05-000000006F02}11684C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284222Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:25.336{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F648-62DF-FC05-000000006F02}11684C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284221Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:25.336{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F648-62DF-FC05-000000006F02}11684C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284220Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:25.336{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F648-62DF-FC05-000000006F02}11684C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284219Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:25.336{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F648-62DF-FE05-000000006F02}11740C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284218Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:25.320{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F648-62DF-ED05-000000006F02}492C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284217Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:25.320{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F648-62DF-ED05-000000006F02}492C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284216Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:25.320{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F648-62DF-ED05-000000006F02}492C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284215Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:25.320{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F648-62DF-ED05-000000006F02}492C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284214Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:25.320{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F648-62DF-FF05-000000006F02}11800C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284213Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:25.320{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F648-62DF-FF05-000000006F02}11800C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284212Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:25.320{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F648-62DF-FF05-000000006F02}11800C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284211Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:25.320{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F648-62DF-FF05-000000006F02}11800C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000284210Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:25.320{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F57E463ADCC1E43D5DCF3006E53C0B8C,SHA256=D81F6B446F15B0B2DC274ECF8AF11061C79D1ECA10B3E6B3AAF1BE72A3412EE3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000284209Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:25.305{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F648-62DF-FE05-000000006F02}11740C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284208Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:25.305{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-F649-62DF-0306-000000006F02}11976C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284207Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:25.305{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F648-62DF-F905-000000006F02}11588C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284206Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:25.305{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F648-62DF-F905-000000006F02}11588C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284205Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:25.305{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F648-62DF-F905-000000006F02}11588C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284204Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:25.305{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F648-62DF-F905-000000006F02}11588C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284203Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:25.283{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F648-62DF-FB05-000000006F02}11636C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284202Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:25.267{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F648-62DF-FB05-000000006F02}11636C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284201Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:25.267{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F648-62DF-FE05-000000006F02}11740C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284200Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:25.267{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F648-62DF-FE05-000000006F02}11740C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284199Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:25.267{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F648-62DF-FE05-000000006F02}11740C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284198Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:25.267{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F648-62DF-FE05-000000006F02}11740C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284197Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:25.252{F81F30E6-D97C-62DF-1500-000000006F02}12281712C:\Windows\System32\svchost.exe{F81F30E6-F649-62DF-0506-000000006F02}12056C:\Windows\system32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284196Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:25.252{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F649-62DF-0506-000000006F02}12056C:\Windows\system32\notepad.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284195Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:25.236{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-F649-62DF-0206-000000006F02}11924C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284194Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:25.221{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F648-62DF-F805-000000006F02}11552C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284193Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:25.221{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284192Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:25.221{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284191Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:25.221{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284190Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:25.221{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284189Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:25.221{F81F30E6-D9BA-62DF-8100-000000006F02}38884516C:\Windows\system32\csrss.exe{F81F30E6-F649-62DF-0506-000000006F02}12056C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000284188Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:25.221{F81F30E6-F648-62DF-FC05-000000006F02}1168411688C:\Windows\system32\cmd.exe{F81F30E6-F649-62DF-0506-000000006F02}12056C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8564|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000284187Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:25.226{F81F30E6-F649-62DF-0506-000000006F02}12056C:\Windows\System32\notepad.exe10.0.14393.4169 (rs1_release.210107-1130)NotepadMicrosoft® Windows® Operating SystemMicrosoft CorporationNOTEPAD.EXEnotepad.exe C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=BA78FCF8CA9D806C6C047357E31748DE,SHA256=34A07759492E31AEC2A009505FE8DFB50242375C4308AD4657B2872F4F75A077,IMPHASH=968239BE2020F1C0DAFFDCDBD49E9C82{F81F30E6-F648-62DF-FC05-000000006F02}11684C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" " 10341000x8000000000000000284186Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:25.221{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F649-62DF-0506-000000006F02}12056C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284185Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:25.205{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F648-62DF-EA05-000000006F02}11032C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284184Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:25.205{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F648-62DF-EA05-000000006F02}11032C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284183Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:25.205{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F648-62DF-EA05-000000006F02}11032C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284182Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:25.205{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F648-62DF-EA05-000000006F02}11032C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284181Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:25.205{F81F30E6-D97C-62DF-1500-000000006F02}12281712C:\Windows\System32\svchost.exe{F81F30E6-F649-62DF-0406-000000006F02}12012C:\Windows\system32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284180Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:25.205{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F649-62DF-0406-000000006F02}12012C:\Windows\system32\notepad.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284179Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:25.205{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F648-62DF-F605-000000006F02}11512C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284178Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:25.205{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F648-62DF-F605-000000006F02}11512C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284177Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:25.205{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F648-62DF-F605-000000006F02}11512C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284176Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:25.205{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F648-62DF-F605-000000006F02}11512C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284175Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:25.205{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F648-62DF-FB05-000000006F02}11636C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284174Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:25.205{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F648-62DF-FB05-000000006F02}11636C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284173Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:25.205{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F648-62DF-FB05-000000006F02}11636C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284172Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:25.205{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F648-62DF-FB05-000000006F02}11636C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284171Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:25.183{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F648-62DF-F805-000000006F02}11552C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284170Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:25.168{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-F648-62DF-0106-000000006F02}11876C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000284169Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:25.168{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D9F6AEB85FE621D42D6B5890AD17A02,SHA256=DBDE1F5FABDE7D2244337A5F7714774228091ACC317646B3DB23C233A954195E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000284168Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:25.168{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284167Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:25.168{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284166Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:25.168{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284165Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:25.168{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284164Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:25.168{F81F30E6-D9BA-62DF-8100-000000006F02}38884056C:\Windows\system32\csrss.exe{F81F30E6-F649-62DF-0406-000000006F02}12012C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000284163Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:25.168{F81F30E6-F648-62DF-F905-000000006F02}1158811592C:\Windows\system32\cmd.exe{F81F30E6-F649-62DF-0406-000000006F02}12012C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8564|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000284162Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:25.169{F81F30E6-F649-62DF-0406-000000006F02}12012C:\Windows\System32\notepad.exe10.0.14393.4169 (rs1_release.210107-1130)NotepadMicrosoft® Windows® Operating SystemMicrosoft CorporationNOTEPAD.EXEnotepad.exe C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=BA78FCF8CA9D806C6C047357E31748DE,SHA256=34A07759492E31AEC2A009505FE8DFB50242375C4308AD4657B2872F4F75A077,IMPHASH=968239BE2020F1C0DAFFDCDBD49E9C82{F81F30E6-F648-62DF-F905-000000006F02}11588C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" " 10341000x8000000000000000284161Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:25.168{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F649-62DF-0406-000000006F02}12012C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284160Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:25.152{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F648-62DF-F505-000000006F02}11452C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284159Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:25.152{F81F30E6-D97C-62DF-1500-000000006F02}12281712C:\Windows\System32\svchost.exe{F81F30E6-F649-62DF-0306-000000006F02}11976C:\Windows\system32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284158Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:25.152{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F649-62DF-0306-000000006F02}11976C:\Windows\system32\notepad.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284157Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:25.121{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F648-62DF-F505-000000006F02}11452C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284156Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:25.121{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F648-62DF-F805-000000006F02}11552C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284155Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:25.121{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F648-62DF-F805-000000006F02}11552C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284154Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:25.121{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F648-62DF-F805-000000006F02}11552C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284153Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:25.121{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F648-62DF-F805-000000006F02}11552C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284152Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:25.121{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284151Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:25.121{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284150Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:25.121{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284149Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:25.121{F81F30E6-D9BA-62DF-8100-000000006F02}38882172C:\Windows\system32\csrss.exe{F81F30E6-F649-62DF-0306-000000006F02}11976C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000284148Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:25.121{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284147Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:25.121{F81F30E6-F648-62DF-F605-000000006F02}1151211516C:\Windows\system32\cmd.exe{F81F30E6-F649-62DF-0306-000000006F02}11976C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8564|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000284146Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:25.122{F81F30E6-F649-62DF-0306-000000006F02}11976C:\Windows\System32\notepad.exe10.0.14393.4169 (rs1_release.210107-1130)NotepadMicrosoft® Windows® Operating SystemMicrosoft CorporationNOTEPAD.EXEnotepad.exe C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=BA78FCF8CA9D806C6C047357E31748DE,SHA256=34A07759492E31AEC2A009505FE8DFB50242375C4308AD4657B2872F4F75A077,IMPHASH=968239BE2020F1C0DAFFDCDBD49E9C82{F81F30E6-F648-62DF-F605-000000006F02}11512C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" " 10341000x8000000000000000284145Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:25.121{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F649-62DF-0306-000000006F02}11976C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284144Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:25.105{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F648-62DF-F305-000000006F02}11428C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284143Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:25.105{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F648-62DF-F305-000000006F02}11428C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284142Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:25.105{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F648-62DF-F305-000000006F02}11428C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284141Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:25.105{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F648-62DF-F305-000000006F02}11428C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284140Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:25.105{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-F648-62DF-0006-000000006F02}11832C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284139Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:25.100{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F648-62DF-F205-000000006F02}11368C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284138Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:25.083{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F648-62DF-E705-000000006F02}1796C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284137Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:25.083{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F648-62DF-E705-000000006F02}1796C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284136Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:25.083{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F648-62DF-E705-000000006F02}1796C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284135Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:25.083{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F648-62DF-E705-000000006F02}1796C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284134Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:25.068{F81F30E6-D97C-62DF-1500-000000006F02}12281712C:\Windows\System32\svchost.exe{F81F30E6-F649-62DF-0206-000000006F02}11924C:\Windows\system32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284133Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:25.068{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F649-62DF-0206-000000006F02}11924C:\Windows\system32\notepad.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284132Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:25.052{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F648-62DF-F205-000000006F02}11368C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284131Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:25.052{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F648-62DF-F505-000000006F02}11452C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284130Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:25.052{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F648-62DF-F505-000000006F02}11452C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284129Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:25.052{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F648-62DF-F505-000000006F02}11452C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284128Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:25.052{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F648-62DF-F505-000000006F02}11452C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284127Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:25.036{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F648-62DF-FD05-000000006F02}11692C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284126Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:25.036{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284125Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:25.036{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284124Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:25.036{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284123Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:25.036{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284122Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:25.036{F81F30E6-D9BA-62DF-8100-000000006F02}38882172C:\Windows\system32\csrss.exe{F81F30E6-F649-62DF-0206-000000006F02}11924C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000284121Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:25.036{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-F648-62DF-FF05-000000006F02}11800C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284120Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:25.036{F81F30E6-F648-62DF-F305-000000006F02}1142811432C:\Windows\system32\cmd.exe{F81F30E6-F649-62DF-0206-000000006F02}11924C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8564|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000284119Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:25.045{F81F30E6-F649-62DF-0206-000000006F02}11924C:\Windows\System32\notepad.exe10.0.14393.4169 (rs1_release.210107-1130)NotepadMicrosoft® Windows® Operating SystemMicrosoft CorporationNOTEPAD.EXEnotepad.exe C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=BA78FCF8CA9D806C6C047357E31748DE,SHA256=34A07759492E31AEC2A009505FE8DFB50242375C4308AD4657B2872F4F75A077,IMPHASH=968239BE2020F1C0DAFFDCDBD49E9C82{F81F30E6-F648-62DF-F305-000000006F02}11428C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" " 10341000x8000000000000000284118Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:25.036{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F649-62DF-0206-000000006F02}11924C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000284117Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:25.036{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E31F8DE3EAE20F069D97CB0260510590,SHA256=F9E253D12D690A443B727346DA8BF1A206AD74436368882B160459C0F8059F74,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000284116Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:25.021{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F648-62DF-FD05-000000006F02}11692C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284115Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:25.005{F81F30E6-D97C-62DF-1500-000000006F02}12281712C:\Windows\System32\svchost.exe{F81F30E6-F648-62DF-0106-000000006F02}11876C:\Windows\system32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284114Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:25.005{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F648-62DF-0106-000000006F02}11876C:\Windows\system32\notepad.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284113Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:25.005{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F648-62DF-ED05-000000006F02}492C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284112Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:25.000{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F648-62DF-F005-000000006F02}11344C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284111Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:25.000{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F648-62DF-F005-000000006F02}11344C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284110Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:24.999{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F648-62DF-F005-000000006F02}11344C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000055139Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:12:25.849{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=460AD8244805998E5C30DD6D757B8308,SHA256=0B4B57A531681AB2C7D873AB57C922D5D0CD33E04C441EA5294DBF8CC993DBE8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284330Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:26.903{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28E78EEE4F4D2026984087642DC50631,SHA256=6ABC763D80D4EEFCEAC5D6D194438367A5CC1F1299B00343C18BE870220B6A77,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000284329Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:26.719{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284328Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:26.719{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284327Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:26.666{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284326Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:26.666{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284325Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:26.382{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284324Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:26.382{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000284323Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:22.145{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local65111-false10.0.1.12-8000- 23542300x800000000000000055140Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:12:26.942{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D930AF830E6B6B865F54C10C2A27BD8,SHA256=CDD8105D0A5FA497560A197E34EF5C89B63FE960B5A0053D1FDABFC34D4AFC08,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284339Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:27.949{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C18E6895EB9A9FA728D2530B2551979,SHA256=2779246241E8BE4A853CD53FC3CB9C9D7D120CB819F38DD951D8212D646A5C90,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000284338Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:27.534{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284337Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:27.534{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284336Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:27.534{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284335Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:27.534{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284334Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:27.534{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284333Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:27.534{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284332Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:27.534{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284331Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:27.534{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000055141Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:12:25.185{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal51151-false10.0.1.12-8000- 23542300x8000000000000000284340Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:28.996{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23541137EA4BE9ACD9C70991F44F9974,SHA256=36A3CBBE66260277B166D4CCD9239C5B3735075FF38FC3F0891393F41A39B833,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055142Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:12:28.036{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2738D4374862230F69F20098CFC3153,SHA256=E01F0E9636B39311C0AACB9955071F661E7203018BF5A385251016AFE47B7035,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055143Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:12:29.130{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6BDA313F1F11A6D173CF60099490363,SHA256=D15D8568B3DA71B5B4D2948144E37679CB583F9F27CF85C71366C041B3CB8C53,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055144Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:12:30.224{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7AC0F4D96958A06D85AD0E489D052F1B,SHA256=4FCAB451EEEECC2996BB1F16D3672240CAFDE1174AFB9B7D04DF8D672D3780DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284403Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:30.432{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE91EB43FC5E6D807E812146E85DF15B,SHA256=077B0A7BDA613354498291CE53264F02D6A06F5700D87468F2E1CC55F1B3C52E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000284402Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:30.400{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-F64E-62DF-0806-000000006F02}11528C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284401Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:30.399{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-F64E-62DF-0806-000000006F02}11528C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284400Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:30.399{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-F64E-62DF-0806-000000006F02}11528C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284399Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:30.364{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F64E-62DF-0806-000000006F02}11528C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284398Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:30.348{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F64E-62DF-0806-000000006F02}11528C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284397Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:30.333{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-F64E-62DF-0806-000000006F02}11528C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284396Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:30.317{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F64E-62DF-0806-000000006F02}11528C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284395Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:30.317{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F64E-62DF-0806-000000006F02}11528C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284394Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:30.317{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F64E-62DF-0806-000000006F02}11528C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284393Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:30.317{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F64E-62DF-0806-000000006F02}11528C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284392Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:30.317{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F64E-62DF-0806-000000006F02}11528C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284391Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:30.317{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F64E-62DF-0806-000000006F02}11528C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284390Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:30.317{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F64E-62DF-0806-000000006F02}11528C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284389Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:30.317{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F64E-62DF-0806-000000006F02}11528C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284388Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:30.301{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-F64E-62DF-0806-000000006F02}11528C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284387Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:30.264{F81F30E6-D97C-62DF-1500-000000006F02}12281712C:\Windows\System32\svchost.exe{F81F30E6-F64E-62DF-0806-000000006F02}11528C:\Windows\system32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284386Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:30.264{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F64E-62DF-0806-000000006F02}11528C:\Windows\system32\notepad.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284385Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:30.233{F81F30E6-D9BA-62DF-8100-000000006F02}38884056C:\Windows\system32\csrss.exe{F81F30E6-F64E-62DF-0806-000000006F02}11528C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 354300x8000000000000000284384Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:28.074{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local65112-false10.0.1.12-8000- 10341000x8000000000000000284383Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:30.217{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284382Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:30.217{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284381Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:30.217{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284380Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:30.217{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284379Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:30.217{F81F30E6-F64E-62DF-0606-000000006F02}1226012264C:\Windows\system32\cmd.exe{F81F30E6-F64E-62DF-0806-000000006F02}11528C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8564|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000284378Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:30.222{F81F30E6-F64E-62DF-0806-000000006F02}11528C:\Windows\System32\notepad.exe10.0.14393.4169 (rs1_release.210107-1130)NotepadMicrosoft® Windows® Operating SystemMicrosoft CorporationNOTEPAD.EXEnotepad.exe C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=BA78FCF8CA9D806C6C047357E31748DE,SHA256=34A07759492E31AEC2A009505FE8DFB50242375C4308AD4657B2872F4F75A077,IMPHASH=968239BE2020F1C0DAFFDCDBD49E9C82{F81F30E6-F64E-62DF-0606-000000006F02}12260C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" " 10341000x8000000000000000284377Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:30.217{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F64E-62DF-0806-000000006F02}11528C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284376Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:30.201{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284375Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:30.201{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284374Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:30.201{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284373Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:30.201{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284372Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:30.180{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284371Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:30.180{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284370Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:30.180{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284369Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:30.180{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284368Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:30.164{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-F64E-62DF-0606-000000006F02}12260C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284367Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:30.164{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-F64E-62DF-0606-000000006F02}12260C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284366Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:30.164{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-F64E-62DF-0606-000000006F02}12260C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284365Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:30.164{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F64E-62DF-0706-000000006F02}12268C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284364Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:30.164{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F64E-62DF-0706-000000006F02}12268C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284363Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:30.148{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-F64E-62DF-0606-000000006F02}12260C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284362Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:30.133{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F64E-62DF-0606-000000006F02}12260C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284361Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:30.133{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F64E-62DF-0606-000000006F02}12260C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284360Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:30.133{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F64E-62DF-0606-000000006F02}12260C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284359Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:30.133{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F64E-62DF-0606-000000006F02}12260C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284358Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:30.133{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F64E-62DF-0706-000000006F02}12268C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284357Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:30.133{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F64E-62DF-0706-000000006F02}12268C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284356Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:30.133{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F64E-62DF-0706-000000006F02}12268C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284355Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:30.133{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F64E-62DF-0706-000000006F02}12268C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284354Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:30.101{F81F30E6-D97C-62DF-1500-000000006F02}12281712C:\Windows\System32\svchost.exe{F81F30E6-F64E-62DF-0706-000000006F02}12268C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284353Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:30.101{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F64E-62DF-0706-000000006F02}12268C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284352Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:30.079{F81F30E6-F64E-62DF-0706-000000006F02}1226811292C:\Windows\system32\conhost.exe{F81F30E6-F64E-62DF-0606-000000006F02}12260C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284351Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:30.064{F81F30E6-D9BA-62DF-8100-000000006F02}388811560C:\Windows\system32\csrss.exe{F81F30E6-F64E-62DF-0706-000000006F02}12268C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000284350Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:30.064{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F64E-62DF-0706-000000006F02}12268C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284349Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:30.048{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284348Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:30.048{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284347Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:30.048{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284346Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:30.048{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284345Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:30.048{F81F30E6-D9BA-62DF-8100-000000006F02}38884056C:\Windows\system32\csrss.exe{F81F30E6-F64E-62DF-0606-000000006F02}12260C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000284344Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:30.048{F81F30E6-F163-62DF-1F04-000000006F02}226412252C:\Temp\dcrat.exe{F81F30E6-F64E-62DF-0606-000000006F02}12260C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\System32\windows.storage.dll+16e7eb|C:\Windows\System32\windows.storage.dll+16e501|C:\Windows\System32\windows.storage.dll+16e14e|C:\Windows\System32\windows.storage.dll+16f3f0|C:\Windows\System32\windows.storage.dll+16de9e|C:\Windows\System32\windows.storage.dll+fce6d|C:\Windows\System32\windows.storage.dll+fd5ac|C:\Windows\System32\windows.storage.dll+fc910|C:\Windows\System32\shell32.dll+49cdf|C:\Windows\System32\shell32.dll+49b6c|C:\Windows\System32\shell32.dll+498bc|C:\Windows\System32\shell32.dll+10d2c7|C:\Windows\System32\shell32.dll+10d225|UNKNOWN(00007FF984B29B5F) 154100x8000000000000000284343Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:30.050{F81F30E6-F64E-62DF-0606-000000006F02}12260C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" "C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe"C:\Temp\dcrat.exe" 10341000x8000000000000000284342Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:30.048{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F64E-62DF-0606-000000006F02}12260C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000284341Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:30.032{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE6089C3A7A41DCC05EB1B94049F0433,SHA256=C8445971EAA4501877E0691FA5B56B03123E3D5DED9D7B452770F4493DBACA17,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055145Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:12:31.317{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A45B9FBF1E1FF9CC3E3FF180CE94F8A,SHA256=51560B66A7001389BD2D04421AE84915114F108A1A6BC6A440746F4D4CF00C97,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000284413Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:31.817{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284412Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:31.817{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284411Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:31.817{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284410Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:31.817{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284409Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:31.817{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284408Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:31.817{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284407Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:31.817{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284406Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:31.817{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000284405Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:31.098{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E90630D7B8E4A456116ED46357754FDE,SHA256=69FF29320708AC90ACBBF71773E6B232B45F14D33396638F1899FFD0A13E8118,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284404Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:31.080{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0EE1C49503DCF2DB6AE6AE25717490B,SHA256=AB95769CD2A82A7C01C0BEA4D1A36B0CBBEF2911CE1453A78E9C2D7E75348B31,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055147Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:12:32.411{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E1DE59DBB16C6E4B9371D5CBF8C8500,SHA256=00068649AEF3134C42B23890FFD3554D5320681FE33C046CEE397A09D8239254,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000284431Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:32.780{F81F30E6-D98B-62DF-3600-000000006F02}31323152C:\Windows\system32\conhost.exe{F81F30E6-F650-62DF-0A06-000000006F02}12272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284430Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:32.780{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284429Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:32.780{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284428Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:32.780{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284427Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:32.780{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284426Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:32.780{F81F30E6-D97A-62DF-0500-000000006F02}412428C:\Windows\system32\csrss.exe{F81F30E6-F650-62DF-0A06-000000006F02}12272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000284425Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:32.780{F81F30E6-D98A-62DF-2E00-000000006F02}27803956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F81F30E6-F650-62DF-0A06-000000006F02}12272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000284424Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:32.781{F81F30E6-F650-62DF-0A06-000000006F02}12272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F81F30E6-D97A-62DF-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000284423Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:32.433{F81F30E6-F650-62DF-0906-000000006F02}96289572C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000284422Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:32.132{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BCC267DB598E1EAF39173B80DEC4AE83,SHA256=714C64E8B6E7643DB470C7EBDAD63456124ABE6E70642BF721C4851F2E0DFD9B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000284421Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:32.117{F81F30E6-D98B-62DF-3600-000000006F02}31323152C:\Windows\system32\conhost.exe{F81F30E6-F650-62DF-0906-000000006F02}9628C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284420Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:32.117{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284419Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:32.117{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284418Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:32.117{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284417Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:32.117{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284416Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:32.117{F81F30E6-D97A-62DF-0500-000000006F02}412428C:\Windows\system32\csrss.exe{F81F30E6-F650-62DF-0906-000000006F02}9628C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000284415Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:32.117{F81F30E6-D98A-62DF-2E00-000000006F02}27803956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F81F30E6-F650-62DF-0906-000000006F02}9628C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000284414Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:32.117{F81F30E6-F650-62DF-0906-000000006F02}9628C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{F81F30E6-D97A-62DF-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000055146Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:12:30.263{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal51152-false10.0.1.12-8000- 23542300x800000000000000055148Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:12:33.505{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD323DCF379DEDD3361C69769491E687,SHA256=B7F71671D1E3245C4D5A852DFE8A33736143088BB9A551532C7931DB4C2D5568,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000284450Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:33.781{F81F30E6-D98B-62DF-3600-000000006F02}31323152C:\Windows\system32\conhost.exe{F81F30E6-F651-62DF-0C06-000000006F02}8988C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284449Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:33.781{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284448Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:33.781{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284447Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:33.781{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284446Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:33.781{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284445Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:33.781{F81F30E6-D97A-62DF-0500-000000006F02}41292C:\Windows\system32\csrss.exe{F81F30E6-F651-62DF-0C06-000000006F02}8988C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000284444Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:33.781{F81F30E6-D98A-62DF-2E00-000000006F02}27803956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F81F30E6-F651-62DF-0C06-000000006F02}8988C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000284443Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:33.782{F81F30E6-F651-62DF-0C06-000000006F02}8988C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F81F30E6-D97A-62DF-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000284442Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:33.399{F81F30E6-D98A-62DF-2E00-000000006F02}2780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=791C751CADFF11E99600A8EBF71B3749,SHA256=1326EC13374C3AC3819CD10A0D871E376D56E1BF4AF91CE361C913FD67315271,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000284441Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:33.280{F81F30E6-D98B-62DF-3600-000000006F02}31323152C:\Windows\system32\conhost.exe{F81F30E6-F651-62DF-0B06-000000006F02}9572C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284440Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:33.280{F81F30E6-D97A-62DF-0500-000000006F02}412540C:\Windows\system32\csrss.exe{F81F30E6-F651-62DF-0B06-000000006F02}9572C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000284439Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:33.280{F81F30E6-D98A-62DF-2E00-000000006F02}27803956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F81F30E6-F651-62DF-0B06-000000006F02}9572C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284438Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:33.280{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284437Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:33.280{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284436Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:33.280{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284435Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:33.280{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000284434Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:33.282{F81F30E6-F651-62DF-0B06-000000006F02}9572C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F81F30E6-D97A-62DF-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000284433Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:33.164{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2CC4D1B1216153C3C6B56A9EE1D69D0,SHA256=1C604555AD508CE79E70961C41249D6302DFD6091DFD4A870D5CDE07D4A6E972,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000284432Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:33.080{F81F30E6-F650-62DF-0A06-000000006F02}1227212256C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000055150Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:12:34.599{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53A1875E5A7C60FE9B87A280A27F50CC,SHA256=C42CB089A1EFE72894BD174AFB2EDCFF197754605175587A07087D1A18AC41BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284461Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:34.882{F81F30E6-D97C-62DF-1000-000000006F02}448NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=5420FCB544EA4FB28546F27EC3A8EAF3,SHA256=53C36EC37A6114816600AC85C93F06814460B6236838B93EB34C18F7C3313E9B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000284460Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:34.403{F81F30E6-D98B-62DF-3600-000000006F02}31323152C:\Windows\system32\conhost.exe{F81F30E6-F652-62DF-0D06-000000006F02}10036C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284459Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:34.402{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284458Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:34.401{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284457Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:34.401{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284456Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:34.401{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284455Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:34.401{F81F30E6-D97A-62DF-0500-000000006F02}412428C:\Windows\system32\csrss.exe{F81F30E6-F652-62DF-0D06-000000006F02}10036C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000284454Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:34.400{F81F30E6-D98A-62DF-2E00-000000006F02}27803956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F81F30E6-F652-62DF-0D06-000000006F02}10036C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000284453Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:34.400{F81F30E6-F652-62DF-0D06-000000006F02}10036C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F81F30E6-D97A-62DF-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000284452Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:34.266{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F22B9161EAA2B68C536DE1CBD744C79E,SHA256=977D944D7FA66B16CB28962E5C44F4EF83A4DE962BC2D8561C2F875C20D66337,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055149Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:12:34.114{53069400-D97D-62DF-1100-000000007002}980NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=CEFFE7268E15E0B62ACB08971F613572,SHA256=3AA71C833703D4F02723BAE6441DA0B2C8B716B5E110E169D825DB1CB70A0E48,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000284451Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:34.035{F81F30E6-F651-62DF-0C06-000000006F02}898812256C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000055151Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:12:35.692{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D4B1F455725DBC3E4DEC39E31C5BFE8,SHA256=3A5A0A025345E0ADD62DF68DFC62F33285EE0024A968822DFA0297387FBA23CF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000284479Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:35.565{F81F30E6-D98B-62DF-3600-000000006F02}31323152C:\Windows\system32\conhost.exe{F81F30E6-F653-62DF-0F06-000000006F02}9572C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284478Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:35.565{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284477Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:35.565{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284476Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:35.565{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284475Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:35.565{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284474Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:35.565{F81F30E6-D97A-62DF-0500-000000006F02}412540C:\Windows\system32\csrss.exe{F81F30E6-F653-62DF-0F06-000000006F02}9572C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000284473Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:35.565{F81F30E6-D98A-62DF-2E00-000000006F02}27803956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F81F30E6-F653-62DF-0F06-000000006F02}9572C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000284472Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:35.566{F81F30E6-F653-62DF-0F06-000000006F02}9572C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F81F30E6-D97A-62DF-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000284471Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:35.350{F81F30E6-F653-62DF-0E06-000000006F02}1227212256C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000284470Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:35.303{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36756C75575435C2E6CAF9FBA25B3845,SHA256=32B6AD074FCBC4FD3786C7128D52B398B82EB9185C40FAAC7940CFDA7873B5FA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000284469Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:35.066{F81F30E6-D98B-62DF-3600-000000006F02}31323152C:\Windows\system32\conhost.exe{F81F30E6-F653-62DF-0E06-000000006F02}12272C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284468Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:35.066{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284467Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:35.066{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284466Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:35.066{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284465Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:35.066{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284464Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:35.066{F81F30E6-D97A-62DF-0500-000000006F02}41292C:\Windows\system32\csrss.exe{F81F30E6-F653-62DF-0E06-000000006F02}12272C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000284463Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:35.066{F81F30E6-D98A-62DF-2E00-000000006F02}27803956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F81F30E6-F653-62DF-0E06-000000006F02}12272C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000284462Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:35.067{F81F30E6-F653-62DF-0E06-000000006F02}12272C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F81F30E6-D97A-62DF-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000055152Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:12:36.786{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF31830C4A85F1E388CC261BB66C2C4D,SHA256=ACB349B5DEB66B6529E7AF3E1114C540894A3D14BE0CC14FAF78806B50D2E9F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284482Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:36.664{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=57E9684B45E8318CCD4DB7593D7B8B3F,SHA256=A8E021B021F5330371318CA61B37EA454549D45E2B2DEFE67B0CCFC3B99618B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284481Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:36.333{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5531A3D2DEB496B828C1FCF9A1BDB65,SHA256=35213DADAC48A2DBEF59F70CABA9C456E2D8197262D4BB4FDDD266EACEBEB9D3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000284480Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:33.208{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local65113-false10.0.1.12-8000- 23542300x800000000000000055154Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:12:37.914{53069400-D97D-62DF-1C00-000000007002}1896NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0923b0b66bc46ec04\channels\health\respondent-20220726120936-119MD5=F10909D358012860607A88999540BE61,SHA256=618099B8C52552D13629F748BAC7127C20F9D45615160D64360388A771E36D7B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055153Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:12:37.881{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71E42910FAD95D31F0D7304E81BFF06D,SHA256=98894B55CF5061DC07B0716232DABDC5193B715CC59BC16F23EAC7BB6C49BCC2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284483Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:37.579{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=668BAE49510DA1D063B09D8BC875CA39,SHA256=0A1ECC703BA6794D789CCDDC4A66349EB8D16A3F29DB7027BC78B79844B0C0F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055157Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:12:38.979{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99C02B6ABEEF1CD0D81B8FAC98989BE4,SHA256=ED83B4E7697265C0C5AD0C9429C3DB024A7CD3735AF57D56108C9F9F6A6E8D69,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055156Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:12:38.919{53069400-D97D-62DF-1C00-000000007002}1896NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0923b0b66bc46ec04\channels\health\surveyor-20220726120934-120MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000284520Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:38.909{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2C00-000000006F02}2668C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284519Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:38.909{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2C00-000000006F02}2668C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284518Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:38.909{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BE-62DF-9400-000000006F02}5104C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284517Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:38.909{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BE-62DF-9400-000000006F02}5104C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284516Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:38.909{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BE-62DF-9400-000000006F02}5104C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284515Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:38.909{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BE-62DF-9300-000000006F02}5000C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284514Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:38.909{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BE-62DF-9300-000000006F02}5000C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284513Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:38.909{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BE-62DF-9300-000000006F02}5000C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284512Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:38.909{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BE-62DF-9300-000000006F02}5000C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284511Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:38.909{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BE-62DF-9300-000000006F02}5000C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284510Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:38.909{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BE-62DF-9300-000000006F02}5000C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284509Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:38.909{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BE-62DF-9300-000000006F02}5000C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284508Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:38.909{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BE-62DF-9300-000000006F02}5000C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284507Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:38.909{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BE-62DF-9300-000000006F02}5000C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284506Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:38.909{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BD-62DF-9000-000000006F02}4688C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284505Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:38.909{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BD-62DF-9000-000000006F02}4688C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284504Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:38.909{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BD-62DF-9000-000000006F02}4688C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284503Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:38.909{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BD-62DF-9000-000000006F02}4688C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284502Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:38.909{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BD-62DF-9000-000000006F02}4688C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284501Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:38.909{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BD-62DF-9000-000000006F02}4688C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284500Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:38.909{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BD-62DF-9000-000000006F02}4688C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284499Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:38.909{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BD-62DF-9000-000000006F02}4688C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284498Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:38.909{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BD-62DF-9000-000000006F02}4688C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284497Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:38.909{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BD-62DF-9000-000000006F02}4688C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284496Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:38.909{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BD-62DF-9000-000000006F02}4688C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284495Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:38.909{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BD-62DF-9000-000000006F02}4688C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284494Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:38.909{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BD-62DF-9000-000000006F02}4688C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284493Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:38.909{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BD-62DF-9000-000000006F02}4688C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284492Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:38.909{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BD-62DF-9000-000000006F02}4688C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284491Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:38.909{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BD-62DF-9000-000000006F02}4688C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284490Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:38.909{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BD-62DF-9000-000000006F02}4688C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284489Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:38.909{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BD-62DF-9000-000000006F02}4688C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284488Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:38.909{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BD-62DF-9000-000000006F02}4688C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284487Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:38.909{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BD-62DF-9000-000000006F02}4688C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284486Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:38.909{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BD-62DF-9000-000000006F02}4688C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284485Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:38.909{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BD-62DF-9000-000000006F02}4688C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000284484Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:38.609{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79DAFB506D0714E9F90BA7C6E02F9A96,SHA256=522625C0B8A7516A142D0FBD4F5CFB7A490FCB993F1A4A0298176786AF7603B6,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000055155Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:12:36.216{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal51153-false10.0.1.12-8000- 23542300x800000000000000055158Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:12:39.966{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=489F4477BEF61D6008861C574FB33809,SHA256=C1E6392FEB2987084C85A986DB4823683C70DCDB693D423280CD2753186A1977,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284521Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:40.108{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A3237461F9F7A78EE3EB8C11C0A1CC2,SHA256=3BF8B4449CF6860C13FC053061F06B32DAF63A2C83C2FEF3032BCF4175530EC3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055159Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:12:41.060{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C29D3DFE23ADC4C1FC1A6CEDD83B760,SHA256=CED7926A32F025A8B5418FB737B3169DDB808B037BB77F543E8ADF20A72BACA0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000284523Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:39.072{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local65114-false10.0.1.12-8000- 23542300x8000000000000000284522Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:41.245{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7739B5D0400592C3B63C994C33DE15C,SHA256=E8382ECB9E1DDD51CDF6D3D40FD294099E4497BC61FC434C57200BF8F4928FD2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055160Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:12:42.153{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C33A62B3CDC777437DCE8010D29F76C9,SHA256=6DDD4A3B82B3ADE1D95062423656EC9DEE1490CADEF764EA4871460D921695C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284524Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:42.326{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20499CE6EC676C91845F24726DDD0C12,SHA256=AC13AE5FD5245D760F396447859E27ED30156BA654449786ED5AED959EF2163D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000055162Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:12:41.302{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal51154-false10.0.1.12-8000- 23542300x800000000000000055161Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:12:43.247{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8F36852A9B09B94AF8442FF272CB8CD,SHA256=ABF622E6541AE054B10E772CBB0838DD3336149F0BA618671A79277FD42C05EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284525Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:43.445{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F55248216645D198113E4ED4C9BEF15C,SHA256=098076E0DF8C02CB47EC64B6A58901AECAF0577446F1A043A935A1F317340B2B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284526Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:44.477{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88CACC4B655BCDA1304FE7284E50503E,SHA256=FC07837AFE2DF0BBF235B70975A81AECDD49F2FED37D3B00E9E8D7EA23EE8B52,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055163Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:12:44.341{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8297DF4672B25BDA9C7437E580B6E97,SHA256=B8CF1870B2047617705F1B755B466BA84AD50363D7016CE11CF0FBA34DCC110E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284527Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:45.624{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=340AC05B1DE7279B68BEFBF7F3B2A45C,SHA256=A73679706ABF62ECBFC11413FA625EB7F0EC9B84B9A0175D611393BDFD836ADB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055164Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:12:45.434{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF17D4D0FF0E903AD2B7EE54B9FD7089,SHA256=A91B914BBDFD3D9E9087660D8FCFA643D078BB8AAD8AA1F1A1A9CCC71D1EDBF5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284528Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:46.651{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC3E6E1BA69CDB047A1B08C4BFF1CC69,SHA256=B01CD5892DA465BCD4D61FC9789D8D31B9A77A87B5319319FEB2632BA292A467,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055166Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:12:46.528{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A412A059FBD009BA0459BB5AB26A0B7,SHA256=244E64EAD683990E92D0FA8F954BBCAF5D9F6D094A5710C50C1551CEEBD4C893,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055165Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:12:46.247{53069400-D97D-62DF-1E00-000000007002}1940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=179B82772CA5CC0B7A1E30B10EC3DA68,SHA256=BB39CA45713EEF29F8964A50A9025571F90083A2F6169622A7CAAB4EAC5409CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284530Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:47.697{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2110742368176A7FCBF8BC3679A30CBF,SHA256=BDF8402F671B6165CF4F305F2E69862045A8928872CAFA7C820C5B245A7C6541,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055170Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:12:47.622{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=813FBD56B2C5134C706F9619A56761F6,SHA256=413ABC76E848310A39D3C462F9E59D44E322B0C2A9F4EA7ED5BFE00F41D3DE63,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055169Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:12:47.591{53069400-D97D-62DF-1E00-000000007002}1940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=F72B794290A5C355DB2A019BF3C63513,SHA256=33806537E00764DA74B110FFDCDE6BAD12E4047DBEFA579BEA2096FF542FD869,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000284529Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:44.087{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local65115-false10.0.1.12-8000- 354300x800000000000000055168Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:12:46.302{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal51155-false10.0.1.12-8000- 354300x800000000000000055167Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:12:46.302{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal51156-false10.0.1.12-8089- 10341000x8000000000000000284535Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:48.983{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284534Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:48.983{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000284533Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:48.732{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2CC236C7EB00792DC50292A4338412C,SHA256=C4B682245D6A1CBE8A6B739F131A5D7180045ED7BCAC81FE57589364827483AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055171Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:12:48.606{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4854E6A9AA49196B6821424C6FFDA67,SHA256=1C4E77D103B7348E48A8AD40C188493C058F4F8F93F21B2454641BB2305D8C15,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000284532Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:48.165{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284531Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:48.165{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000055172Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:12:49.700{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9937A6B0D137FAF05464C1EE395E93AA,SHA256=EEFA510850F7AB6DA9182FF172C8118ECDB2B4403E8B45D34A0CABC19E955578,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000284690Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:49.982{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F661-62DF-1E06-000000006F02}12516C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284689Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:49.966{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-F661-62DF-1706-000000006F02}12352C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284688Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:49.966{F81F30E6-D97C-62DF-1500-000000006F02}12281712C:\Windows\System32\svchost.exe{F81F30E6-F661-62DF-1D06-000000006F02}12476C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284687Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:49.966{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F661-62DF-1D06-000000006F02}12476C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284686Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:49.966{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-F661-62DF-1706-000000006F02}12352C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284685Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:49.966{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-F661-62DF-1706-000000006F02}12352C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284684Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:49.966{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-F661-62DF-1706-000000006F02}12352C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284683Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:49.966{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-F661-62DF-1706-000000006F02}12352C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284682Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:49.966{F81F30E6-F661-62DF-1D06-000000006F02}1247612512C:\Windows\system32\conhost.exe{F81F30E6-F661-62DF-1C06-000000006F02}12468C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284681Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:49.950{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F661-62DF-1806-000000006F02}12360C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284680Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:49.950{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F661-62DF-1806-000000006F02}12360C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284679Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:49.950{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F661-62DF-1806-000000006F02}12360C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284678Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:49.950{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F661-62DF-1806-000000006F02}12360C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284677Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:49.950{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-F661-62DF-1606-000000006F02}12324C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284676Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:49.950{F81F30E6-D97C-62DF-1500-000000006F02}12281712C:\Windows\System32\svchost.exe{F81F30E6-F661-62DF-1B06-000000006F02}12440C:\Windows\system32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284675Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:49.950{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F661-62DF-1B06-000000006F02}12440C:\Windows\system32\notepad.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284674Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:49.950{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F661-62DF-1506-000000006F02}6280C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284673Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:49.935{F81F30E6-D9BA-62DF-8100-000000006F02}388811560C:\Windows\system32\csrss.exe{F81F30E6-F661-62DF-1D06-000000006F02}12476C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000284672Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:49.935{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F661-62DF-1D06-000000006F02}12476C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284671Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:49.935{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284670Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:49.935{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284669Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:49.935{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284668Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:49.935{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284667Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:49.935{F81F30E6-D9BA-62DF-8100-000000006F02}38882172C:\Windows\system32\csrss.exe{F81F30E6-F661-62DF-1C06-000000006F02}12468C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000284666Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:49.935{F81F30E6-F163-62DF-1F04-000000006F02}226412416C:\Temp\dcrat.exe{F81F30E6-F661-62DF-1C06-000000006F02}12468C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\System32\windows.storage.dll+16e7eb|C:\Windows\System32\windows.storage.dll+16e501|C:\Windows\System32\windows.storage.dll+16e14e|C:\Windows\System32\windows.storage.dll+16f3f0|C:\Windows\System32\windows.storage.dll+16de9e|C:\Windows\System32\windows.storage.dll+fce6d|C:\Windows\System32\windows.storage.dll+fd5ac|C:\Windows\System32\windows.storage.dll+fc910|C:\Windows\System32\shell32.dll+49cdf|C:\Windows\System32\shell32.dll+49b6c|C:\Windows\System32\shell32.dll+498bc|C:\Windows\System32\shell32.dll+10d2c7|C:\Windows\System32\shell32.dll+10d225|UNKNOWN(00007FF984B29B5F) 154100x8000000000000000284665Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:49.939{F81F30E6-F661-62DF-1C06-000000006F02}12468C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" "C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe"C:\Temp\dcrat.exe" 10341000x8000000000000000284664Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:49.935{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F661-62DF-1C06-000000006F02}12468C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284663Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:49.913{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F661-62DF-1506-000000006F02}6280C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284662Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:49.913{F81F30E6-D97C-62DF-1500-000000006F02}12281712C:\Windows\System32\svchost.exe{F81F30E6-F661-62DF-1A06-000000006F02}12404C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284661Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:49.913{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F661-62DF-1A06-000000006F02}12404C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284660Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:49.913{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284659Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:49.913{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284658Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:49.913{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284657Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:49.913{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284656Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:49.913{F81F30E6-D9BA-62DF-8100-000000006F02}388811560C:\Windows\system32\csrss.exe{F81F30E6-F661-62DF-1B06-000000006F02}12440C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000284655Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:49.897{F81F30E6-F661-62DF-1206-000000006F02}1212812272C:\Windows\system32\cmd.exe{F81F30E6-F661-62DF-1B06-000000006F02}12440C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8564|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000284654Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:49.912{F81F30E6-F661-62DF-1B06-000000006F02}12440C:\Windows\System32\notepad.exe10.0.14393.4169 (rs1_release.210107-1130)NotepadMicrosoft® Windows® Operating SystemMicrosoft CorporationNOTEPAD.EXEnotepad.exe C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=BA78FCF8CA9D806C6C047357E31748DE,SHA256=34A07759492E31AEC2A009505FE8DFB50242375C4308AD4657B2872F4F75A077,IMPHASH=968239BE2020F1C0DAFFDCDBD49E9C82{F81F30E6-F661-62DF-1206-000000006F02}12128C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" " 10341000x8000000000000000284653Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:49.897{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F661-62DF-1B06-000000006F02}12440C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284652Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:49.897{F81F30E6-F661-62DF-1A06-000000006F02}1240412436C:\Windows\system32\conhost.exe{F81F30E6-F661-62DF-1906-000000006F02}12388C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284651Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:49.897{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-F661-62DF-1406-000000006F02}10544C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284650Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:49.882{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-F661-62DF-1406-000000006F02}10544C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284649Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:49.882{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-F661-62DF-1406-000000006F02}10544C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284648Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:49.882{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-F661-62DF-1406-000000006F02}10544C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284647Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:49.882{F81F30E6-D9BA-62DF-8100-000000006F02}388811560C:\Windows\system32\csrss.exe{F81F30E6-F661-62DF-1A06-000000006F02}12404C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000284646Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:49.882{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-F661-62DF-1406-000000006F02}10544C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284645Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:49.882{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F661-62DF-1A06-000000006F02}12404C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284644Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:49.882{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F661-62DF-1506-000000006F02}6280C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284643Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:49.882{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F661-62DF-1506-000000006F02}6280C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284642Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:49.882{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F661-62DF-1506-000000006F02}6280C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284641Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:49.882{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F661-62DF-1506-000000006F02}6280C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284640Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:49.882{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284639Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:49.882{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284638Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:49.882{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284637Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:49.882{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284636Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:49.882{F81F30E6-D9BA-62DF-8100-000000006F02}38884056C:\Windows\system32\csrss.exe{F81F30E6-F661-62DF-1906-000000006F02}12388C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000284635Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:49.882{F81F30E6-F163-62DF-1F04-000000006F02}226412368C:\Temp\dcrat.exe{F81F30E6-F661-62DF-1906-000000006F02}12388C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\System32\windows.storage.dll+16e7eb|C:\Windows\System32\windows.storage.dll+16e501|C:\Windows\System32\windows.storage.dll+16e14e|C:\Windows\System32\windows.storage.dll+16f3f0|C:\Windows\System32\windows.storage.dll+16de9e|C:\Windows\System32\windows.storage.dll+fce6d|C:\Windows\System32\windows.storage.dll+fd5ac|C:\Windows\System32\windows.storage.dll+fc910|C:\Windows\System32\shell32.dll+49cdf|C:\Windows\System32\shell32.dll+49b6c|C:\Windows\System32\shell32.dll+498bc|C:\Windows\System32\shell32.dll+10d2c7|C:\Windows\System32\shell32.dll+10d225|UNKNOWN(00007FF984B29B5F) 154100x8000000000000000284634Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:49.886{F81F30E6-F661-62DF-1906-000000006F02}12388C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" "C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe"C:\Temp\dcrat.exe" 10341000x8000000000000000284633Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:49.882{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F661-62DF-1906-000000006F02}12388C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284632Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:49.866{F81F30E6-D97C-62DF-1500-000000006F02}12281712C:\Windows\System32\svchost.exe{F81F30E6-F661-62DF-1806-000000006F02}12360C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284631Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:49.866{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F661-62DF-1806-000000006F02}12360C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284630Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:49.866{F81F30E6-D97C-62DF-1500-000000006F02}12281712C:\Windows\System32\svchost.exe{F81F30E6-F661-62DF-1606-000000006F02}12324C:\Windows\system32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284629Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:49.866{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F661-62DF-1606-000000006F02}12324C:\Windows\system32\notepad.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284628Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:49.866{F81F30E6-F661-62DF-1806-000000006F02}1236012384C:\Windows\system32\conhost.exe{F81F30E6-F661-62DF-1706-000000006F02}12352C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284627Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:49.851{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F661-62DF-1206-000000006F02}12128C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284626Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:49.851{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F661-62DF-1206-000000006F02}12128C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284625Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:49.851{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F661-62DF-1206-000000006F02}12128C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284624Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:49.835{F81F30E6-D9BA-62DF-8100-000000006F02}388811560C:\Windows\system32\csrss.exe{F81F30E6-F661-62DF-1806-000000006F02}12360C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000284623Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:49.835{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284622Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:49.835{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284621Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:49.835{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284620Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:49.835{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284619Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:49.835{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F661-62DF-1306-000000006F02}10524C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284618Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:49.835{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F661-62DF-1806-000000006F02}12360C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284617Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:49.835{F81F30E6-D9BA-62DF-8100-000000006F02}38884056C:\Windows\system32\csrss.exe{F81F30E6-F661-62DF-1706-000000006F02}12352C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000284616Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:49.835{F81F30E6-F163-62DF-1F04-000000006F02}226412296C:\Temp\dcrat.exe{F81F30E6-F661-62DF-1706-000000006F02}12352C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\System32\windows.storage.dll+16e7eb|C:\Windows\System32\windows.storage.dll+16e501|C:\Windows\System32\windows.storage.dll+16e14e|C:\Windows\System32\windows.storage.dll+16f3f0|C:\Windows\System32\windows.storage.dll+16de9e|C:\Windows\System32\windows.storage.dll+fce6d|C:\Windows\System32\windows.storage.dll+fd5ac|C:\Windows\System32\windows.storage.dll+fc910|C:\Windows\System32\shell32.dll+49cdf|C:\Windows\System32\shell32.dll+49b6c|C:\Windows\System32\shell32.dll+498bc|C:\Windows\System32\shell32.dll+10d2c7|C:\Windows\System32\shell32.dll+10d225|UNKNOWN(00007FF984B29B5F) 154100x8000000000000000284615Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:49.840{F81F30E6-F661-62DF-1706-000000006F02}12352C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" "C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe"C:\Temp\dcrat.exe" 10341000x8000000000000000284614Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:49.835{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F661-62DF-1306-000000006F02}10524C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284613Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:49.835{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F661-62DF-1706-000000006F02}12352C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284612Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:49.835{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-F661-62DF-1206-000000006F02}12128C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284611Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:49.833{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-F661-62DF-1206-000000006F02}12128C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284610Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:49.833{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284609Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:49.833{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284608Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:49.833{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-F661-62DF-1206-000000006F02}12128C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284607Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:49.833{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-F661-62DF-1206-000000006F02}12128C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284606Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:49.833{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284605Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:49.833{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284604Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:49.832{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-F661-62DF-1206-000000006F02}12128C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284603Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:49.831{F81F30E6-D9BA-62DF-8100-000000006F02}38884056C:\Windows\system32\csrss.exe{F81F30E6-F661-62DF-1606-000000006F02}12324C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000284602Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:49.830{F81F30E6-F661-62DF-1006-000000006F02}957212248C:\Windows\system32\cmd.exe{F81F30E6-F661-62DF-1606-000000006F02}12324C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8564|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000284601Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:49.829{F81F30E6-F661-62DF-1606-000000006F02}12324C:\Windows\System32\notepad.exe10.0.14393.4169 (rs1_release.210107-1130)NotepadMicrosoft® Windows® Operating SystemMicrosoft CorporationNOTEPAD.EXEnotepad.exe C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=BA78FCF8CA9D806C6C047357E31748DE,SHA256=34A07759492E31AEC2A009505FE8DFB50242375C4308AD4657B2872F4F75A077,IMPHASH=968239BE2020F1C0DAFFDCDBD49E9C82{F81F30E6-F661-62DF-1006-000000006F02}9572C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" " 10341000x8000000000000000284600Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:49.829{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F661-62DF-1606-000000006F02}12324C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284599Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:49.813{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F661-62DF-1306-000000006F02}10524C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284598Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:49.813{F81F30E6-D97C-62DF-1500-000000006F02}12281712C:\Windows\System32\svchost.exe{F81F30E6-F661-62DF-1506-000000006F02}6280C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284597Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:49.813{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F661-62DF-1306-000000006F02}10524C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284596Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:49.813{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F661-62DF-1306-000000006F02}10524C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284595Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:49.813{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F661-62DF-1306-000000006F02}10524C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284594Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:49.813{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F661-62DF-1506-000000006F02}6280C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284593Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:49.798{F81F30E6-F661-62DF-1506-000000006F02}628012312C:\Windows\system32\conhost.exe{F81F30E6-F661-62DF-1406-000000006F02}10544C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284592Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:49.782{F81F30E6-D9BA-62DF-8100-000000006F02}38882172C:\Windows\system32\csrss.exe{F81F30E6-F661-62DF-1506-000000006F02}6280C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000284591Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:49.782{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F661-62DF-1506-000000006F02}6280C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284590Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:49.782{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284589Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:49.782{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284588Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:49.782{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284587Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:49.782{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F661-62DF-1006-000000006F02}9572C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284586Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:49.782{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284585Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:49.766{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F661-62DF-1006-000000006F02}9572C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284584Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:49.766{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F661-62DF-1006-000000006F02}9572C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284583Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:49.766{F81F30E6-D9BA-62DF-8100-000000006F02}388811560C:\Windows\system32\csrss.exe{F81F30E6-F661-62DF-1406-000000006F02}10544C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000284582Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:49.766{F81F30E6-F163-62DF-1F04-000000006F02}226410036C:\Temp\dcrat.exe{F81F30E6-F661-62DF-1406-000000006F02}10544C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\System32\windows.storage.dll+16e7eb|C:\Windows\System32\windows.storage.dll+16e501|C:\Windows\System32\windows.storage.dll+16e14e|C:\Windows\System32\windows.storage.dll+16f3f0|C:\Windows\System32\windows.storage.dll+16de9e|C:\Windows\System32\windows.storage.dll+fce6d|C:\Windows\System32\windows.storage.dll+fd5ac|C:\Windows\System32\windows.storage.dll+fc910|C:\Windows\System32\shell32.dll+49cdf|C:\Windows\System32\shell32.dll+49b6c|C:\Windows\System32\shell32.dll+498bc|C:\Windows\System32\shell32.dll+10d2c7|C:\Windows\System32\shell32.dll+10d225|UNKNOWN(00007FF984B29B5F) 154100x8000000000000000284581Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:49.780{F81F30E6-F661-62DF-1406-000000006F02}10544C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" "C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe"C:\Temp\dcrat.exe" 10341000x8000000000000000284580Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:49.766{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F661-62DF-1406-000000006F02}10544C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284579Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:49.766{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F661-62DF-1106-000000006F02}12136C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284578Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:49.766{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F661-62DF-1106-000000006F02}12136C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284577Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:49.766{F81F30E6-D97C-62DF-1500-000000006F02}12281712C:\Windows\System32\svchost.exe{F81F30E6-F661-62DF-1306-000000006F02}10524C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284576Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:49.766{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F661-62DF-1306-000000006F02}10524C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284575Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:49.751{F81F30E6-F661-62DF-1306-000000006F02}1052410028C:\Windows\system32\conhost.exe{F81F30E6-F661-62DF-1206-000000006F02}12128C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284574Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:49.751{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-F661-62DF-1006-000000006F02}9572C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284573Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:49.751{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-F661-62DF-1006-000000006F02}9572C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284572Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:49.751{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-F661-62DF-1006-000000006F02}9572C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284571Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:49.751{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-F661-62DF-1006-000000006F02}9572C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284570Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:49.751{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-F661-62DF-1006-000000006F02}9572C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284569Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:49.751{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F661-62DF-1106-000000006F02}12136C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284568Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:49.751{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F661-62DF-1106-000000006F02}12136C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284567Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:49.751{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F661-62DF-1106-000000006F02}12136C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284566Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:49.751{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F661-62DF-1106-000000006F02}12136C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284565Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:49.735{F81F30E6-D9BA-62DF-8100-000000006F02}38884056C:\Windows\system32\csrss.exe{F81F30E6-F661-62DF-1306-000000006F02}10524C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000284564Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:49.735{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F661-62DF-1306-000000006F02}10524C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284563Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:49.735{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284562Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:49.735{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284561Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:49.735{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284560Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:49.735{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284559Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:49.735{F81F30E6-D9BA-62DF-8100-000000006F02}388811560C:\Windows\system32\csrss.exe{F81F30E6-F661-62DF-1206-000000006F02}12128C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000284558Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:49.735{F81F30E6-F163-62DF-1F04-000000006F02}226412204C:\Temp\dcrat.exe{F81F30E6-F661-62DF-1206-000000006F02}12128C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\System32\windows.storage.dll+16e7eb|C:\Windows\System32\windows.storage.dll+16e501|C:\Windows\System32\windows.storage.dll+16e14e|C:\Windows\System32\windows.storage.dll+16f3f0|C:\Windows\System32\windows.storage.dll+16de9e|C:\Windows\System32\windows.storage.dll+fce6d|C:\Windows\System32\windows.storage.dll+fd5ac|C:\Windows\System32\windows.storage.dll+fc910|C:\Windows\System32\shell32.dll+49cdf|C:\Windows\System32\shell32.dll+49b6c|C:\Windows\System32\shell32.dll+498bc|C:\Windows\System32\shell32.dll+10d2c7|C:\Windows\System32\shell32.dll+10d225|UNKNOWN(00007FF984B29B5F) 154100x8000000000000000284557Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:49.739{F81F30E6-F661-62DF-1206-000000006F02}12128C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" "C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe"C:\Temp\dcrat.exe" 10341000x8000000000000000284556Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:49.735{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F661-62DF-1206-000000006F02}12128C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284555Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:49.734{F81F30E6-D97C-62DF-1500-000000006F02}12281712C:\Windows\System32\svchost.exe{F81F30E6-F661-62DF-1106-000000006F02}12136C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284554Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:49.734{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F661-62DF-1106-000000006F02}12136C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284553Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:49.713{F81F30E6-F661-62DF-1106-000000006F02}1213612256C:\Windows\system32\conhost.exe{F81F30E6-F661-62DF-1006-000000006F02}9572C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284552Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:49.713{F81F30E6-D9BA-62DF-8100-000000006F02}38884516C:\Windows\system32\csrss.exe{F81F30E6-F661-62DF-1106-000000006F02}12136C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000284551Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:49.713{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F661-62DF-1106-000000006F02}12136C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284550Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:49.698{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284549Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:49.698{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284548Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:49.698{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284547Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:49.698{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284546Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:49.698{F81F30E6-D9BA-62DF-8100-000000006F02}38882172C:\Windows\system32\csrss.exe{F81F30E6-F661-62DF-1006-000000006F02}9572C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000284545Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:49.698{F81F30E6-F163-62DF-1F04-000000006F02}22649628C:\Temp\dcrat.exe{F81F30E6-F661-62DF-1006-000000006F02}9572C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\System32\windows.storage.dll+16e7eb|C:\Windows\System32\windows.storage.dll+16e501|C:\Windows\System32\windows.storage.dll+16e14e|C:\Windows\System32\windows.storage.dll+16f3f0|C:\Windows\System32\windows.storage.dll+16de9e|C:\Windows\System32\windows.storage.dll+fce6d|C:\Windows\System32\windows.storage.dll+fd5ac|C:\Windows\System32\windows.storage.dll+fc910|C:\Windows\System32\shell32.dll+49cdf|C:\Windows\System32\shell32.dll+49b6c|C:\Windows\System32\shell32.dll+498bc|C:\Windows\System32\shell32.dll+10d2c7|C:\Windows\System32\shell32.dll+10d225|UNKNOWN(00007FF984B29B5F) 154100x8000000000000000284544Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:49.711{F81F30E6-F661-62DF-1006-000000006F02}9572C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" "C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe"C:\Temp\dcrat.exe" 10341000x8000000000000000284543Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:49.698{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F661-62DF-1006-000000006F02}9572C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000284542Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:49.234{F81F30E6-D98A-62DF-2E00-000000006F02}2780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=375770933B088FA1013E9C17F7ACFA9C,SHA256=12DC730ED0C3CEF15E2072F184E79ED116E6C7FEA32581084F03B1ADA228E22B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000284541Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:49.067{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284540Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:49.067{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284539Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:49.051{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284538Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:49.051{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284537Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:49.030{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284536Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:49.030{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000055173Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:12:50.794{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BBDCAEE54AD3EBCC999CB6B5194445BC,SHA256=4C751A9285047220750854472E30F67CBE4C88BEF0F963EEB0415DBBF0729E0E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000285023Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.981{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F662-62DF-2606-000000006F02}12720C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285022Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.965{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285021Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.965{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285020Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.965{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285019Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.965{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285018Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.965{F81F30E6-D9BA-62DF-8100-000000006F02}388811560C:\Windows\system32\csrss.exe{F81F30E6-F662-62DF-3606-000000006F02}13240C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000285017Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.965{F81F30E6-F662-62DF-2806-000000006F02}1278012784C:\Windows\system32\cmd.exe{F81F30E6-F662-62DF-3606-000000006F02}13240C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8564|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000285016Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.976{F81F30E6-F662-62DF-3606-000000006F02}13240C:\Windows\System32\notepad.exe10.0.14393.4169 (rs1_release.210107-1130)NotepadMicrosoft® Windows® Operating SystemMicrosoft CorporationNOTEPAD.EXEnotepad.exe C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=BA78FCF8CA9D806C6C047357E31748DE,SHA256=34A07759492E31AEC2A009505FE8DFB50242375C4308AD4657B2872F4F75A077,IMPHASH=968239BE2020F1C0DAFFDCDBD49E9C82{F81F30E6-F662-62DF-2806-000000006F02}12780C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" " 10341000x8000000000000000285015Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.965{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F662-62DF-3606-000000006F02}13240C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285014Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.965{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F662-62DF-3206-000000006F02}13040C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285013Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.965{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-F662-62DF-3306-000000006F02}13100C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285012Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.934{F81F30E6-D97C-62DF-1500-000000006F02}12281712C:\Windows\System32\svchost.exe{F81F30E6-F662-62DF-3506-000000006F02}13196C:\Windows\system32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285011Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.934{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F662-62DF-3506-000000006F02}13196C:\Windows\system32\notepad.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285010Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.934{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285009Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.934{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F662-62DF-2F06-000000006F02}12944C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285008Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.934{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285007Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.934{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285006Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.934{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285005Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.913{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F662-62DF-2606-000000006F02}12720C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285004Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.913{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F662-62DF-2606-000000006F02}12720C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285003Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.913{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F662-62DF-2606-000000006F02}12720C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285002Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.913{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F662-62DF-2606-000000006F02}12720C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285001Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.913{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285000Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.913{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284999Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.913{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284998Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.913{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284997Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.913{F81F30E6-D9BA-62DF-8100-000000006F02}388811560C:\Windows\system32\csrss.exe{F81F30E6-F662-62DF-3506-000000006F02}13196C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000284996Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.913{F81F30E6-F662-62DF-2506-000000006F02}1270012704C:\Windows\system32\cmd.exe{F81F30E6-F662-62DF-3506-000000006F02}13196C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8564|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000284995Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.913{F81F30E6-F662-62DF-3506-000000006F02}13196C:\Windows\System32\notepad.exe10.0.14393.4169 (rs1_release.210107-1130)NotepadMicrosoft® Windows® Operating SystemMicrosoft CorporationNOTEPAD.EXEnotepad.exe C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=BA78FCF8CA9D806C6C047357E31748DE,SHA256=34A07759492E31AEC2A009505FE8DFB50242375C4308AD4657B2872F4F75A077,IMPHASH=968239BE2020F1C0DAFFDCDBD49E9C82{F81F30E6-F662-62DF-2506-000000006F02}12700C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" " 10341000x8000000000000000284994Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.913{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F662-62DF-3506-000000006F02}13196C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284993Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.897{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F662-62DF-2206-000000006F02}12620C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284992Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.897{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F662-62DF-2F06-000000006F02}12944C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284991Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.897{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F662-62DF-3206-000000006F02}13040C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284990Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.897{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F662-62DF-3206-000000006F02}13040C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284989Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.897{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F662-62DF-3206-000000006F02}13040C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284988Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.897{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F662-62DF-3206-000000006F02}13040C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284987Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.881{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-F662-62DF-3006-000000006F02}13004C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284986Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.881{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F662-62DF-2206-000000006F02}12620C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284985Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.866{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F662-62DF-2C06-000000006F02}12876C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284984Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.866{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-F662-62DF-2806-000000006F02}12780C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284983Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.866{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-F662-62DF-2806-000000006F02}12780C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284982Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.866{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-F662-62DF-2806-000000006F02}12780C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284981Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.866{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-F662-62DF-2806-000000006F02}12780C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284980Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.850{F81F30E6-D97C-62DF-1500-000000006F02}12281712C:\Windows\System32\svchost.exe{F81F30E6-F662-62DF-3406-000000006F02}13132C:\Windows\system32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284979Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.850{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F662-62DF-3406-000000006F02}13132C:\Windows\system32\notepad.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000284978Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.850{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA76BA0F9C7FE68ACF972669829E7DFE,SHA256=02713FDCAE0E127A61F71A4C12FCCDED2E23E5384E5D05DFD7F16782177165F1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000284977Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.850{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F662-62DF-2C06-000000006F02}12876C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000284976Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.850{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8EFA13DB1641512053402C9310435C58,SHA256=F58BD95FF18DFE123637BE3094C8D0D9FFEAEDD3906B4CF13144DA99274F001B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000284975Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.834{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-F662-62DF-2506-000000006F02}12700C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284974Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.834{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-F662-62DF-2506-000000006F02}12700C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284973Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.834{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-F662-62DF-2506-000000006F02}12700C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284972Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.834{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-F662-62DF-2E06-000000006F02}12932C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284971Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.834{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-F662-62DF-2506-000000006F02}12700C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284970Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.834{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F662-62DF-2F06-000000006F02}12944C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284969Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.834{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F662-62DF-2F06-000000006F02}12944C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284968Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.834{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F662-62DF-2F06-000000006F02}12944C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284967Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.834{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F662-62DF-2F06-000000006F02}12944C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284966Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.830{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F662-62DF-2206-000000006F02}12620C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284965Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.829{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F662-62DF-2206-000000006F02}12620C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284964Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.829{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F662-62DF-2206-000000006F02}12620C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284963Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.829{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F662-62DF-2206-000000006F02}12620C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284962Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.813{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284961Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.813{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284960Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.813{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284959Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.813{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284958Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.813{F81F30E6-D9BA-62DF-8100-000000006F02}38882172C:\Windows\system32\csrss.exe{F81F30E6-F662-62DF-3406-000000006F02}13132C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000284957Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.813{F81F30E6-F662-62DF-2306-000000006F02}1264812652C:\Windows\system32\cmd.exe{F81F30E6-F662-62DF-3406-000000006F02}13132C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8564|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000284956Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.826{F81F30E6-F662-62DF-3406-000000006F02}13132C:\Windows\System32\notepad.exe10.0.14393.4169 (rs1_release.210107-1130)NotepadMicrosoft® Windows® Operating SystemMicrosoft CorporationNOTEPAD.EXEnotepad.exe C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=BA78FCF8CA9D806C6C047357E31748DE,SHA256=34A07759492E31AEC2A009505FE8DFB50242375C4308AD4657B2872F4F75A077,IMPHASH=968239BE2020F1C0DAFFDCDBD49E9C82{F81F30E6-F662-62DF-2306-000000006F02}12648C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" " 10341000x8000000000000000284955Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.813{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F662-62DF-3406-000000006F02}13132C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284954Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.797{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F662-62DF-2906-000000006F02}12788C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284953Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.797{F81F30E6-D97C-62DF-1500-000000006F02}12281712C:\Windows\System32\svchost.exe{F81F30E6-F662-62DF-3306-000000006F02}13100C:\Windows\system32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284952Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.797{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F662-62DF-3306-000000006F02}13100C:\Windows\system32\notepad.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000284951Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.797{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=173B71E3F8E91522013461854B9E7A10,SHA256=89BE596245428AAA2F2828538229B1A9F60703B41F3B5000BBDE226CD623372D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000284950Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.750{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F662-62DF-2906-000000006F02}12788C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284949Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.750{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284948Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.750{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284947Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.750{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284946Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.750{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284945Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.750{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F662-62DF-2C06-000000006F02}12876C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284944Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.750{F81F30E6-D9BA-62DF-8100-000000006F02}38884056C:\Windows\system32\csrss.exe{F81F30E6-F662-62DF-3306-000000006F02}13100C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000284943Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.750{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F662-62DF-2C06-000000006F02}12876C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284942Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.750{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F662-62DF-2C06-000000006F02}12876C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284941Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.750{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F662-62DF-2C06-000000006F02}12876C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284940Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.750{F81F30E6-F662-62DF-2006-000000006F02}1256812572C:\Windows\system32\cmd.exe{F81F30E6-F662-62DF-3306-000000006F02}13100C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8564|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000284939Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.755{F81F30E6-F662-62DF-3306-000000006F02}13100C:\Windows\System32\notepad.exe10.0.14393.4169 (rs1_release.210107-1130)NotepadMicrosoft® Windows® Operating SystemMicrosoft CorporationNOTEPAD.EXEnotepad.exe C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=BA78FCF8CA9D806C6C047357E31748DE,SHA256=34A07759492E31AEC2A009505FE8DFB50242375C4308AD4657B2872F4F75A077,IMPHASH=968239BE2020F1C0DAFFDCDBD49E9C82{F81F30E6-F662-62DF-2006-000000006F02}12568C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" " 10341000x8000000000000000284938Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.750{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F662-62DF-3306-000000006F02}13100C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284937Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.733{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F662-62DF-2706-000000006F02}12728C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284936Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.713{F81F30E6-D97C-62DF-1500-000000006F02}12281712C:\Windows\System32\svchost.exe{F81F30E6-F662-62DF-3206-000000006F02}13040C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284935Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.713{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F662-62DF-3206-000000006F02}13040C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284934Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.713{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-F661-62DF-1B06-000000006F02}12440C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284933Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.713{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-F661-62DF-1B06-000000006F02}12440C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284932Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.713{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-F661-62DF-1B06-000000006F02}12440C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284931Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.713{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-F662-62DF-2A06-000000006F02}12828C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284930Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.713{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-F661-62DF-1B06-000000006F02}12440C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284929Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.697{F81F30E6-F662-62DF-3206-000000006F02}1304013064C:\Windows\system32\conhost.exe{F81F30E6-F662-62DF-3106-000000006F02}13032C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284928Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.697{F81F30E6-D97C-62DF-1500-000000006F02}12281712C:\Windows\System32\svchost.exe{F81F30E6-F662-62DF-3006-000000006F02}13004C:\Windows\system32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284927Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.697{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F662-62DF-3006-000000006F02}13004C:\Windows\system32\notepad.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284926Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.697{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F662-62DF-2706-000000006F02}12728C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284925Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.697{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-F662-62DF-2306-000000006F02}12648C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284924Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.697{F81F30E6-DE12-62DF-7B01-000000006F02}62606312C:\Users\Administrator\Downloads\dnSpy.exe{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00007FF972E3853B) 10341000x8000000000000000284923Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.697{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-F662-62DF-2306-000000006F02}12648C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284922Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.697{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-F662-62DF-2306-000000006F02}12648C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284921Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.682{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-F662-62DF-2306-000000006F02}12648C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284920Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.682{F81F30E6-D9BA-62DF-8100-000000006F02}388811560C:\Windows\system32\csrss.exe{F81F30E6-F662-62DF-3206-000000006F02}13040C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000284919Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.682{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F662-62DF-3206-000000006F02}13040C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284918Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.682{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284917Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.682{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284916Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.682{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F662-62DF-2906-000000006F02}12788C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284915Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.682{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284914Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.682{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284913Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.682{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F662-62DF-2906-000000006F02}12788C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284912Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.682{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F662-62DF-2906-000000006F02}12788C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284911Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.682{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F662-62DF-2906-000000006F02}12788C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284910Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.682{F81F30E6-D9BA-62DF-8100-000000006F02}38882172C:\Windows\system32\csrss.exe{F81F30E6-F662-62DF-3106-000000006F02}13032C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000284909Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.682{F81F30E6-F163-62DF-1F04-000000006F02}226412984C:\Temp\dcrat.exe{F81F30E6-F662-62DF-3106-000000006F02}13032C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\System32\windows.storage.dll+16e7eb|C:\Windows\System32\windows.storage.dll+16e501|C:\Windows\System32\windows.storage.dll+16e14e|C:\Windows\System32\windows.storage.dll+16f3f0|C:\Windows\System32\windows.storage.dll+16de9e|C:\Windows\System32\windows.storage.dll+fce6d|C:\Windows\System32\windows.storage.dll+fd5ac|C:\Windows\System32\windows.storage.dll+fc910|C:\Windows\System32\shell32.dll+49cdf|C:\Windows\System32\shell32.dll+49b6c|C:\Windows\System32\shell32.dll+498bc|C:\Windows\System32\shell32.dll+10d2c7|C:\Windows\System32\shell32.dll+10d225|UNKNOWN(00007FF984B29B5F) 154100x8000000000000000284908Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.684{F81F30E6-F662-62DF-3106-000000006F02}13032C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" "C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe"C:\Temp\dcrat.exe" 10341000x8000000000000000284907Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.682{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F662-62DF-3106-000000006F02}13032C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284906Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.666{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F661-62DF-1B06-000000006F02}12440C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284905Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.666{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284904Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.666{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284903Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.666{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284902Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.666{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284901Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.666{F81F30E6-D9BA-62DF-8100-000000006F02}38884516C:\Windows\system32\csrss.exe{F81F30E6-F662-62DF-3006-000000006F02}13004C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000284900Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.650{F81F30E6-F661-62DF-1E06-000000006F02}1251612520C:\Windows\system32\cmd.exe{F81F30E6-F662-62DF-3006-000000006F02}13004C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8564|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000284899Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.665{F81F30E6-F662-62DF-3006-000000006F02}13004C:\Windows\System32\notepad.exe10.0.14393.4169 (rs1_release.210107-1130)NotepadMicrosoft® Windows® Operating SystemMicrosoft CorporationNOTEPAD.EXEnotepad.exe C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=BA78FCF8CA9D806C6C047357E31748DE,SHA256=34A07759492E31AEC2A009505FE8DFB50242375C4308AD4657B2872F4F75A077,IMPHASH=968239BE2020F1C0DAFFDCDBD49E9C82{F81F30E6-F661-62DF-1E06-000000006F02}12516C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" " 10341000x8000000000000000284898Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.650{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F662-62DF-3006-000000006F02}13004C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284897Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.650{F81F30E6-D97C-62DF-1500-000000006F02}12281712C:\Windows\System32\svchost.exe{F81F30E6-F662-62DF-2F06-000000006F02}12944C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284896Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.650{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F662-62DF-2F06-000000006F02}12944C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284895Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.650{F81F30E6-D97C-62DF-1500-000000006F02}12281712C:\Windows\System32\svchost.exe{F81F30E6-F662-62DF-2E06-000000006F02}12932C:\Windows\system32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284894Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.650{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F662-62DF-2E06-000000006F02}12932C:\Windows\system32\notepad.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284893Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.635{F81F30E6-F662-62DF-2F06-000000006F02}1294412988C:\Windows\system32\conhost.exe{F81F30E6-F662-62DF-2D06-000000006F02}12924C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284892Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.635{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F662-62DF-2406-000000006F02}12660C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284891Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.635{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F661-62DF-1B06-000000006F02}12440C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284890Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.613{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-F662-62DF-2606-000000006F02}12720C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284889Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.613{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F662-62DF-2706-000000006F02}12728C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284888Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.613{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F662-62DF-2706-000000006F02}12728C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284887Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.613{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F662-62DF-2706-000000006F02}12728C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284886Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.613{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F662-62DF-2706-000000006F02}12728C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284885Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.613{F81F30E6-D9BA-62DF-8100-000000006F02}38884516C:\Windows\system32\csrss.exe{F81F30E6-F662-62DF-2F06-000000006F02}12944C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000284884Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.613{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F662-62DF-2F06-000000006F02}12944C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284883Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.613{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284882Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.613{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284881Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.613{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284880Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.613{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284879Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.613{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284878Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.613{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284877Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.613{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284876Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.613{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284875Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.613{F81F30E6-D9BA-62DF-8100-000000006F02}388811560C:\Windows\system32\csrss.exe{F81F30E6-F662-62DF-2E06-000000006F02}12932C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000284874Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.613{F81F30E6-D9BA-62DF-8100-000000006F02}38884516C:\Windows\system32\csrss.exe{F81F30E6-F662-62DF-2D06-000000006F02}12924C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000284873Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.613{F81F30E6-F661-62DF-1C06-000000006F02}1246812472C:\Windows\system32\cmd.exe{F81F30E6-F662-62DF-2E06-000000006F02}12932C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8564|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284872Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.613{F81F30E6-F163-62DF-1F04-000000006F02}226412896C:\Temp\dcrat.exe{F81F30E6-F662-62DF-2D06-000000006F02}12924C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\System32\windows.storage.dll+16e7eb|C:\Windows\System32\windows.storage.dll+16e501|C:\Windows\System32\windows.storage.dll+16e14e|C:\Windows\System32\windows.storage.dll+16f3f0|C:\Windows\System32\windows.storage.dll+16de9e|C:\Windows\System32\windows.storage.dll+fce6d|C:\Windows\System32\windows.storage.dll+fd5ac|C:\Windows\System32\windows.storage.dll+fc910|C:\Windows\System32\shell32.dll+49cdf|C:\Windows\System32\shell32.dll+49b6c|C:\Windows\System32\shell32.dll+498bc|C:\Windows\System32\shell32.dll+10d2c7|C:\Windows\System32\shell32.dll+10d225|UNKNOWN(00007FF984B29B5F) 154100x8000000000000000284871Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.614{F81F30E6-F662-62DF-2E06-000000006F02}12932C:\Windows\System32\notepad.exe10.0.14393.4169 (rs1_release.210107-1130)NotepadMicrosoft® Windows® Operating SystemMicrosoft CorporationNOTEPAD.EXEnotepad.exe C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=BA78FCF8CA9D806C6C047357E31748DE,SHA256=34A07759492E31AEC2A009505FE8DFB50242375C4308AD4657B2872F4F75A077,IMPHASH=968239BE2020F1C0DAFFDCDBD49E9C82{F81F30E6-F661-62DF-1C06-000000006F02}12468C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" " 154100x8000000000000000284870Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.614{F81F30E6-F662-62DF-2D06-000000006F02}12924C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" "C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe"C:\Temp\dcrat.exe" 10341000x8000000000000000284869Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.613{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F662-62DF-2E06-000000006F02}12932C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284868Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.613{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F662-62DF-2D06-000000006F02}12924C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284867Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.597{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F662-62DF-2406-000000006F02}12660C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284866Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.582{F81F30E6-D97C-62DF-1500-000000006F02}12281712C:\Windows\System32\svchost.exe{F81F30E6-F662-62DF-2C06-000000006F02}12876C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284865Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.582{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F662-62DF-2C06-000000006F02}12876C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284864Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.582{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F662-62DF-2106-000000006F02}12576C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284863Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.550{F81F30E6-F662-62DF-2C06-000000006F02}1287612900C:\Windows\system32\conhost.exe{F81F30E6-F662-62DF-2B06-000000006F02}12868C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284862Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.550{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-F662-62DF-2006-000000006F02}12568C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284861Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.550{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-F662-62DF-2006-000000006F02}12568C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284860Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.550{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-F662-62DF-2006-000000006F02}12568C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284859Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.535{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F661-62DF-1B06-000000006F02}12440C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284858Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.535{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F661-62DF-1B06-000000006F02}12440C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284857Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.535{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F661-62DF-1B06-000000006F02}12440C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284856Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.535{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F661-62DF-1B06-000000006F02}12440C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284855Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.535{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-F662-62DF-2006-000000006F02}12568C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284854Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.513{F81F30E6-D9BA-62DF-8100-000000006F02}38884516C:\Windows\system32\csrss.exe{F81F30E6-F662-62DF-2C06-000000006F02}12876C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000284853Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.513{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F662-62DF-2C06-000000006F02}12876C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284852Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.482{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284851Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.482{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284850Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.482{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284849Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.482{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284848Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.482{F81F30E6-D9BA-62DF-8100-000000006F02}38884056C:\Windows\system32\csrss.exe{F81F30E6-F662-62DF-2B06-000000006F02}12868C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000284847Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.482{F81F30E6-F163-62DF-1F04-000000006F02}226412808C:\Temp\dcrat.exe{F81F30E6-F662-62DF-2B06-000000006F02}12868C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\System32\windows.storage.dll+16e7eb|C:\Windows\System32\windows.storage.dll+16e501|C:\Windows\System32\windows.storage.dll+16e14e|C:\Windows\System32\windows.storage.dll+16f3f0|C:\Windows\System32\windows.storage.dll+16de9e|C:\Windows\System32\windows.storage.dll+fce6d|C:\Windows\System32\windows.storage.dll+fd5ac|C:\Windows\System32\windows.storage.dll+fc910|C:\Windows\System32\shell32.dll+49cdf|C:\Windows\System32\shell32.dll+49b6c|C:\Windows\System32\shell32.dll+498bc|C:\Windows\System32\shell32.dll+10d2c7|C:\Windows\System32\shell32.dll+10d225|UNKNOWN(00007FF984B29B5F) 154100x8000000000000000284846Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.494{F81F30E6-F662-62DF-2B06-000000006F02}12868C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" "C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe"C:\Temp\dcrat.exe" 10341000x8000000000000000284845Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.482{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F662-62DF-2B06-000000006F02}12868C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284844Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.482{F81F30E6-D97C-62DF-1500-000000006F02}12281712C:\Windows\System32\svchost.exe{F81F30E6-F662-62DF-2A06-000000006F02}12828C:\Windows\system32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284843Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.482{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F662-62DF-2A06-000000006F02}12828C:\Windows\system32\notepad.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284842Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.482{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F662-62DF-2106-000000006F02}12576C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000284841Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:48.241{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local65116-false10.0.1.12-8089- 23542300x8000000000000000284840Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.466{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7EA56F749C5BCA5E3B55B74C6A011D78,SHA256=001BC358610F4F374F8FEC260353BF2490F0BBA0B7B8F32317A4D9F993AFF28A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000284839Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.413{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F662-62DF-2406-000000006F02}12660C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284838Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.413{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F662-62DF-2406-000000006F02}12660C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284837Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.413{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F662-62DF-2406-000000006F02}12660C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284836Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.413{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F662-62DF-2406-000000006F02}12660C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284835Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.413{F81F30E6-D97C-62DF-1500-000000006F02}12281712C:\Windows\System32\svchost.exe{F81F30E6-F662-62DF-2906-000000006F02}12788C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284834Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.413{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F662-62DF-2906-000000006F02}12788C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284833Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.382{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284832Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.382{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284831Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.382{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284830Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.382{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284829Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.382{F81F30E6-D9BA-62DF-8100-000000006F02}38884056C:\Windows\system32\csrss.exe{F81F30E6-F662-62DF-2A06-000000006F02}12828C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000284828Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.382{F81F30E6-F661-62DF-1906-000000006F02}1238812392C:\Windows\system32\cmd.exe{F81F30E6-F662-62DF-2A06-000000006F02}12828C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8564|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000284827Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.389{F81F30E6-F662-62DF-2A06-000000006F02}12828C:\Windows\System32\notepad.exe10.0.14393.4169 (rs1_release.210107-1130)NotepadMicrosoft® Windows® Operating SystemMicrosoft CorporationNOTEPAD.EXEnotepad.exe C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=BA78FCF8CA9D806C6C047357E31748DE,SHA256=34A07759492E31AEC2A009505FE8DFB50242375C4308AD4657B2872F4F75A077,IMPHASH=968239BE2020F1C0DAFFDCDBD49E9C82{F81F30E6-F661-62DF-1906-000000006F02}12388C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" " 10341000x8000000000000000284826Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.382{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F662-62DF-2A06-000000006F02}12828C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284825Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.382{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-F662-62DF-2206-000000006F02}12620C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284824Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.382{F81F30E6-F662-62DF-2906-000000006F02}1278812824C:\Windows\system32\conhost.exe{F81F30E6-F662-62DF-2806-000000006F02}12780C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284823Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.382{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F661-62DF-1606-000000006F02}12324C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284822Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.351{F81F30E6-D9BA-62DF-8100-000000006F02}38884056C:\Windows\system32\csrss.exe{F81F30E6-F662-62DF-2906-000000006F02}12788C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000284821Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.351{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F662-62DF-2906-000000006F02}12788C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284820Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.351{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F661-62DF-1F06-000000006F02}12528C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284819Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.351{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284818Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.351{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284817Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.351{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284816Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.351{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284815Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.335{F81F30E6-D9BA-62DF-8100-000000006F02}38884516C:\Windows\system32\csrss.exe{F81F30E6-F662-62DF-2806-000000006F02}12780C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000284814Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.335{F81F30E6-F163-62DF-1F04-000000006F02}226412760C:\Temp\dcrat.exe{F81F30E6-F662-62DF-2806-000000006F02}12780C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\System32\windows.storage.dll+16e7eb|C:\Windows\System32\windows.storage.dll+16e501|C:\Windows\System32\windows.storage.dll+16e14e|C:\Windows\System32\windows.storage.dll+16f3f0|C:\Windows\System32\windows.storage.dll+16de9e|C:\Windows\System32\windows.storage.dll+fce6d|C:\Windows\System32\windows.storage.dll+fd5ac|C:\Windows\System32\windows.storage.dll+fc910|C:\Windows\System32\shell32.dll+49cdf|C:\Windows\System32\shell32.dll+49b6c|C:\Windows\System32\shell32.dll+498bc|C:\Windows\System32\shell32.dll+10d2c7|C:\Windows\System32\shell32.dll+10d225|UNKNOWN(00007FF984B29B5F) 154100x8000000000000000284813Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.349{F81F30E6-F662-62DF-2806-000000006F02}12780C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" "C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe"C:\Temp\dcrat.exe" 10341000x8000000000000000284812Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.335{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F662-62DF-2806-000000006F02}12780C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000284811Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.335{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7DDDFBB943C7BEA451B0B9B1BF160A5,SHA256=8774D21EC9BC67A6EDB45CE20D8210E2933E6FF0F0A1176875E240AA37CE826C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000284810Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.335{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F661-62DF-1606-000000006F02}12324C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284809Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.329{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-F661-62DF-1606-000000006F02}12324C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284808Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.328{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-F661-62DF-1606-000000006F02}12324C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284807Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.328{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-F661-62DF-1606-000000006F02}12324C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284806Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.313{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-F661-62DF-1606-000000006F02}12324C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284805Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.313{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F662-62DF-2106-000000006F02}12576C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284804Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.313{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F662-62DF-2106-000000006F02}12576C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284803Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.313{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F662-62DF-2106-000000006F02}12576C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284802Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.313{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F662-62DF-2106-000000006F02}12576C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284801Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.313{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F661-62DF-1F06-000000006F02}12528C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284800Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.313{F81F30E6-D97C-62DF-1500-000000006F02}12281712C:\Windows\System32\svchost.exe{F81F30E6-F662-62DF-2606-000000006F02}12720C:\Windows\system32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284799Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.297{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F662-62DF-2606-000000006F02}12720C:\Windows\system32\notepad.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284798Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.297{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-F661-62DF-1E06-000000006F02}12516C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284797Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.297{F81F30E6-D97C-62DF-1500-000000006F02}12281712C:\Windows\System32\svchost.exe{F81F30E6-F662-62DF-2706-000000006F02}12728C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284796Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.297{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-F661-62DF-1E06-000000006F02}12516C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284795Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.297{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-F661-62DF-1E06-000000006F02}12516C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284794Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.297{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F662-62DF-2706-000000006F02}12728C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284793Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.297{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-F661-62DF-1E06-000000006F02}12516C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284792Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.281{F81F30E6-F662-62DF-2706-000000006F02}1272812764C:\Windows\system32\conhost.exe{F81F30E6-F662-62DF-2506-000000006F02}12700C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284791Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.281{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F661-62DF-1D06-000000006F02}12476C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284790Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.266{F81F30E6-D9BA-62DF-8100-000000006F02}38882172C:\Windows\system32\csrss.exe{F81F30E6-F662-62DF-2706-000000006F02}12728C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000284789Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.266{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F662-62DF-2706-000000006F02}12728C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000284788Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.266{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86B9BAAC3423DD0F0741074A639CD537,SHA256=ED74ECA3EA7A338FF7B1EF4A398551C0EF77A25D6F513C9D8F4B5678D352F404,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000284787Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.266{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284786Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.266{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284785Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.266{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284784Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.266{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284783Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.266{F81F30E6-D9BA-62DF-8100-000000006F02}38884516C:\Windows\system32\csrss.exe{F81F30E6-F662-62DF-2606-000000006F02}12720C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000284782Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.266{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F661-62DF-1606-000000006F02}12324C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284781Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.266{F81F30E6-F661-62DF-1706-000000006F02}1235212356C:\Windows\system32\cmd.exe{F81F30E6-F662-62DF-2606-000000006F02}12720C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8564|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000284780Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.266{F81F30E6-F662-62DF-2606-000000006F02}12720C:\Windows\System32\notepad.exe10.0.14393.4169 (rs1_release.210107-1130)NotepadMicrosoft® Windows® Operating SystemMicrosoft CorporationNOTEPAD.EXEnotepad.exe C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=BA78FCF8CA9D806C6C047357E31748DE,SHA256=34A07759492E31AEC2A009505FE8DFB50242375C4308AD4657B2872F4F75A077,IMPHASH=968239BE2020F1C0DAFFDCDBD49E9C82{F81F30E6-F661-62DF-1706-000000006F02}12352C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" " 10341000x8000000000000000284779Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.266{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F661-62DF-1606-000000006F02}12324C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284778Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.266{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F662-62DF-2606-000000006F02}12720C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284777Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.266{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F661-62DF-1606-000000006F02}12324C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284776Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.266{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F661-62DF-1606-000000006F02}12324C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284775Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.250{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284774Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.250{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284773Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.250{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284772Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.250{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284771Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.250{F81F30E6-D9BA-62DF-8100-000000006F02}38882172C:\Windows\system32\csrss.exe{F81F30E6-F662-62DF-2506-000000006F02}12700C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000284770Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.250{F81F30E6-F163-62DF-1F04-000000006F02}226412684C:\Temp\dcrat.exe{F81F30E6-F662-62DF-2506-000000006F02}12700C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\System32\windows.storage.dll+16e7eb|C:\Windows\System32\windows.storage.dll+16e501|C:\Windows\System32\windows.storage.dll+16e14e|C:\Windows\System32\windows.storage.dll+16f3f0|C:\Windows\System32\windows.storage.dll+16de9e|C:\Windows\System32\windows.storage.dll+fce6d|C:\Windows\System32\windows.storage.dll+fd5ac|C:\Windows\System32\windows.storage.dll+fc910|C:\Windows\System32\shell32.dll+49cdf|C:\Windows\System32\shell32.dll+49b6c|C:\Windows\System32\shell32.dll+498bc|C:\Windows\System32\shell32.dll+10d2c7|C:\Windows\System32\shell32.dll+10d225|UNKNOWN(00007FF984B29B5F) 154100x8000000000000000284769Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.258{F81F30E6-F662-62DF-2506-000000006F02}12700C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" "C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe"C:\Temp\dcrat.exe" 10341000x8000000000000000284768Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.250{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F662-62DF-2506-000000006F02}12700C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284767Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.250{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F661-62DF-1D06-000000006F02}12476C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000284766Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.250{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B79D2E5903D8B108CA43B32395A6581,SHA256=ACA4F32A82AB040C7A9CD9E6AEDDB2206BBDA09C4D7EC94990D3C9E8690B080B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000284765Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.234{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-F661-62DF-1C06-000000006F02}12468C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284764Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.229{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F661-62DF-1F06-000000006F02}12528C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284763Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.229{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F661-62DF-1F06-000000006F02}12528C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284762Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.229{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F661-62DF-1F06-000000006F02}12528C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284761Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.229{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F661-62DF-1F06-000000006F02}12528C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284760Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.197{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-F661-62DF-1C06-000000006F02}12468C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284759Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.197{F81F30E6-D97C-62DF-1500-000000006F02}12281712C:\Windows\System32\svchost.exe{F81F30E6-F662-62DF-2406-000000006F02}12660C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284758Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.197{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-F661-62DF-1C06-000000006F02}12468C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284757Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.197{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F662-62DF-2406-000000006F02}12660C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284756Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.197{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-F661-62DF-1C06-000000006F02}12468C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284755Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.197{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-F661-62DF-1C06-000000006F02}12468C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284754Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.182{F81F30E6-F662-62DF-2406-000000006F02}1266012680C:\Windows\system32\conhost.exe{F81F30E6-F662-62DF-2306-000000006F02}12648C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284753Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.182{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F661-62DF-1A06-000000006F02}12404C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284752Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.182{F81F30E6-D97C-62DF-1500-000000006F02}12281712C:\Windows\System32\svchost.exe{F81F30E6-F662-62DF-2206-000000006F02}12620C:\Windows\system32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284751Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.182{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F662-62DF-2206-000000006F02}12620C:\Windows\system32\notepad.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284750Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.150{F81F30E6-D9BA-62DF-8100-000000006F02}38884516C:\Windows\system32\csrss.exe{F81F30E6-F662-62DF-2406-000000006F02}12660C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000284749Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.150{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F662-62DF-2406-000000006F02}12660C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284748Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.150{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284747Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.150{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284746Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.150{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284745Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.150{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284744Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.150{F81F30E6-D9BA-62DF-8100-000000006F02}38884056C:\Windows\system32\csrss.exe{F81F30E6-F662-62DF-2306-000000006F02}12648C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000284743Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.150{F81F30E6-F163-62DF-1F04-000000006F02}226412600C:\Temp\dcrat.exe{F81F30E6-F662-62DF-2306-000000006F02}12648C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\System32\windows.storage.dll+16e7eb|C:\Windows\System32\windows.storage.dll+16e501|C:\Windows\System32\windows.storage.dll+16e14e|C:\Windows\System32\windows.storage.dll+16f3f0|C:\Windows\System32\windows.storage.dll+16de9e|C:\Windows\System32\windows.storage.dll+fce6d|C:\Windows\System32\windows.storage.dll+fd5ac|C:\Windows\System32\windows.storage.dll+fc910|C:\Windows\System32\shell32.dll+49cdf|C:\Windows\System32\shell32.dll+49b6c|C:\Windows\System32\shell32.dll+498bc|C:\Windows\System32\shell32.dll+10d2c7|C:\Windows\System32\shell32.dll+10d225|UNKNOWN(00007FF984B29B5F) 154100x8000000000000000284742Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.153{F81F30E6-F662-62DF-2306-000000006F02}12648C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" "C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe"C:\Temp\dcrat.exe" 10341000x8000000000000000284741Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.150{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F661-62DF-1D06-000000006F02}12476C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284740Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.150{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F662-62DF-2306-000000006F02}12648C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284739Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.150{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F661-62DF-1D06-000000006F02}12476C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284738Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.150{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F661-62DF-1D06-000000006F02}12476C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284737Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.150{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F661-62DF-1D06-000000006F02}12476C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284736Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.097{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F661-62DF-1A06-000000006F02}12404C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284735Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.097{F81F30E6-D97C-62DF-1500-000000006F02}12281712C:\Windows\System32\svchost.exe{F81F30E6-F662-62DF-2106-000000006F02}12576C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284734Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.097{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F662-62DF-2106-000000006F02}12576C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284733Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.097{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284732Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.097{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284731Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.097{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284730Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.097{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284729Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.097{F81F30E6-D9BA-62DF-8100-000000006F02}38884056C:\Windows\system32\csrss.exe{F81F30E6-F662-62DF-2206-000000006F02}12620C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000284728Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.097{F81F30E6-F661-62DF-1406-000000006F02}105446228C:\Windows\system32\cmd.exe{F81F30E6-F662-62DF-2206-000000006F02}12620C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8564|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000284727Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.098{F81F30E6-F662-62DF-2206-000000006F02}12620C:\Windows\System32\notepad.exe10.0.14393.4169 (rs1_release.210107-1130)NotepadMicrosoft® Windows® Operating SystemMicrosoft CorporationNOTEPAD.EXEnotepad.exe C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=BA78FCF8CA9D806C6C047357E31748DE,SHA256=34A07759492E31AEC2A009505FE8DFB50242375C4308AD4657B2872F4F75A077,IMPHASH=968239BE2020F1C0DAFFDCDBD49E9C82{F81F30E6-F661-62DF-1406-000000006F02}10544C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" " 10341000x8000000000000000284726Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.097{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F662-62DF-2206-000000006F02}12620C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284725Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.097{F81F30E6-F662-62DF-2106-000000006F02}1257612628C:\Windows\system32\conhost.exe{F81F30E6-F662-62DF-2006-000000006F02}12568C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284724Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.082{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-F661-62DF-1906-000000006F02}12388C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284723Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.082{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-F661-62DF-1B06-000000006F02}12440C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284722Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.082{F81F30E6-D9BA-62DF-8100-000000006F02}38884056C:\Windows\system32\csrss.exe{F81F30E6-F662-62DF-2106-000000006F02}12576C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000284721Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.066{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F662-62DF-2106-000000006F02}12576C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284720Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.066{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284719Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.066{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284718Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.066{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284717Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.066{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284716Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.066{F81F30E6-D9BA-62DF-8100-000000006F02}38882172C:\Windows\system32\csrss.exe{F81F30E6-F662-62DF-2006-000000006F02}12568C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000284715Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.066{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F662-62DF-2006-000000006F02}12568C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284714Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.066{F81F30E6-F163-62DF-1F04-000000006F02}226412552C:\Temp\dcrat.exe{F81F30E6-F662-62DF-2006-000000006F02}12568C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\System32\windows.storage.dll+16e7eb|C:\Windows\System32\windows.storage.dll+16e501|C:\Windows\System32\windows.storage.dll+16e14e|C:\Windows\System32\windows.storage.dll+16f3f0|C:\Windows\System32\windows.storage.dll+16de9e|C:\Windows\System32\windows.storage.dll+fce6d|C:\Windows\System32\windows.storage.dll+fd5ac|C:\Windows\System32\windows.storage.dll+fc910|C:\Windows\System32\shell32.dll+49cdf|C:\Windows\System32\shell32.dll+49b6c|C:\Windows\System32\shell32.dll+498bc|C:\Windows\System32\shell32.dll+10d2c7|C:\Windows\System32\shell32.dll+10d225|UNKNOWN(00007FF984B29B5F) 154100x8000000000000000284713Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.075{F81F30E6-F662-62DF-2006-000000006F02}12568C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" "C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe"C:\Temp\dcrat.exe" 10341000x8000000000000000284712Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.066{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-F661-62DF-1906-000000006F02}12388C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284711Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.066{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-F661-62DF-1906-000000006F02}12388C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284710Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.066{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-F661-62DF-1906-000000006F02}12388C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284709Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.066{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-F661-62DF-1906-000000006F02}12388C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284708Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.066{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F661-62DF-1806-000000006F02}12360C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284707Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.050{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F661-62DF-1A06-000000006F02}12404C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284706Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.050{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F661-62DF-1A06-000000006F02}12404C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284705Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.050{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F661-62DF-1A06-000000006F02}12404C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284704Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.050{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F661-62DF-1A06-000000006F02}12404C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284703Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.035{F81F30E6-D97C-62DF-1500-000000006F02}12281712C:\Windows\System32\svchost.exe{F81F30E6-F661-62DF-1F06-000000006F02}12528C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284702Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.035{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F661-62DF-1F06-000000006F02}12528C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284701Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.029{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F661-62DF-1806-000000006F02}12360C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284700Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.013{F81F30E6-F661-62DF-1F06-000000006F02}1252812556C:\Windows\system32\conhost.exe{F81F30E6-F661-62DF-1E06-000000006F02}12516C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284699Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:49.997{F81F30E6-D9BA-62DF-8100-000000006F02}38882172C:\Windows\system32\csrss.exe{F81F30E6-F661-62DF-1F06-000000006F02}12528C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000284698Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:49.997{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284697Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:49.997{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F661-62DF-1F06-000000006F02}12528C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284696Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:49.997{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284695Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:49.997{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284694Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:49.997{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284693Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:49.982{F81F30E6-D9BA-62DF-8100-000000006F02}38884516C:\Windows\system32\csrss.exe{F81F30E6-F661-62DF-1E06-000000006F02}12516C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000284692Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:49.982{F81F30E6-F163-62DF-1F04-000000006F02}226412496C:\Temp\dcrat.exe{F81F30E6-F661-62DF-1E06-000000006F02}12516C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\System32\windows.storage.dll+16e7eb|C:\Windows\System32\windows.storage.dll+16e501|C:\Windows\System32\windows.storage.dll+16e14e|C:\Windows\System32\windows.storage.dll+16f3f0|C:\Windows\System32\windows.storage.dll+16de9e|C:\Windows\System32\windows.storage.dll+fce6d|C:\Windows\System32\windows.storage.dll+fd5ac|C:\Windows\System32\windows.storage.dll+fc910|C:\Windows\System32\shell32.dll+49cdf|C:\Windows\System32\shell32.dll+49b6c|C:\Windows\System32\shell32.dll+498bc|C:\Windows\System32\shell32.dll+10d2c7|C:\Windows\System32\shell32.dll+10d225|UNKNOWN(00007FF984B29B5F) 154100x8000000000000000284691Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:49.994{F81F30E6-F661-62DF-1E06-000000006F02}12516C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" "C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe"C:\Temp\dcrat.exe" 23542300x800000000000000055174Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:12:51.888{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E182765DEC206C0B22C4EC8094C36E9,SHA256=C0BE16CADEA8619E4FC12EF45A6C976253C08A9190A21A6B206C495CFEC33B84,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285197Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:51.913{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9601A4FF63EB8CC337375B5DAA376ED6,SHA256=94AD7E9DC89103BAC3058A34673A2FF733448BEC1A830FC3B354E80FA6D24690,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285196Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:51.696{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FFFC19E6D02DA326F1E94CA9697C4A33,SHA256=207C4D4E33CFF277055CAED123DCCA15204D8A12D649468A389586911877215A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000285195Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:51.612{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-F663-62DF-3906-000000006F02}12768C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285194Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:51.580{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F663-62DF-3906-000000006F02}12768C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285193Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:51.580{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F663-62DF-3906-000000006F02}12768C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285192Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:51.580{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F663-62DF-3906-000000006F02}12768C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285191Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:51.565{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-F663-62DF-3906-000000006F02}12768C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285190Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:51.565{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-F663-62DF-3906-000000006F02}12768C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285189Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:51.565{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-F663-62DF-3906-000000006F02}12768C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285188Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:51.565{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-F663-62DF-3906-000000006F02}12768C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285187Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:51.565{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-F663-62DF-3806-000000006F02}9632C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285186Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:51.565{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-F663-62DF-3806-000000006F02}9632C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285185Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:51.565{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-F663-62DF-3806-000000006F02}9632C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285184Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:51.565{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-F663-62DF-3806-000000006F02}9632C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285183Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:51.549{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-F663-62DF-3706-000000006F02}13284C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285182Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:51.549{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-F663-62DF-3706-000000006F02}13284C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285181Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:51.549{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-F663-62DF-3706-000000006F02}13284C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285180Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:51.549{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-F663-62DF-3706-000000006F02}13284C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285179Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:51.533{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-F662-62DF-3606-000000006F02}13240C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285178Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:51.532{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-F662-62DF-3606-000000006F02}13240C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285177Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:51.532{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-F662-62DF-3606-000000006F02}13240C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285176Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:51.532{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-F662-62DF-3606-000000006F02}13240C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285175Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:51.528{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-F662-62DF-3506-000000006F02}13196C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285174Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:51.528{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-F662-62DF-3506-000000006F02}13196C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285173Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:51.528{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-F662-62DF-3506-000000006F02}13196C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285172Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:51.528{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F663-62DF-3906-000000006F02}12768C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000285171Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:49.140{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local65117-false10.0.1.12-8000- 10341000x8000000000000000285170Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:51.512{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-F662-62DF-3506-000000006F02}13196C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285169Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:51.512{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-F662-62DF-3406-000000006F02}13132C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285168Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:51.512{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-F662-62DF-3406-000000006F02}13132C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285167Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:51.512{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-F662-62DF-3406-000000006F02}13132C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285166Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:51.512{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-F662-62DF-3406-000000006F02}13132C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285165Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:51.512{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F663-62DF-3906-000000006F02}12768C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285164Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:51.496{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F663-62DF-3806-000000006F02}9632C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285163Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:51.480{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-F662-62DF-3306-000000006F02}13100C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285162Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:51.480{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-F662-62DF-3306-000000006F02}13100C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285161Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:51.480{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-F662-62DF-3306-000000006F02}13100C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285160Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:51.480{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-F662-62DF-3306-000000006F02}13100C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285159Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:51.480{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F663-62DF-3906-000000006F02}12768C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285158Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:51.480{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F663-62DF-3906-000000006F02}12768C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285157Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:51.480{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F663-62DF-3906-000000006F02}12768C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285156Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:51.480{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F663-62DF-3906-000000006F02}12768C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285155Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:51.465{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F663-62DF-3806-000000006F02}9632C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285154Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:51.465{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F663-62DF-3706-000000006F02}13284C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285153Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:51.449{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F663-62DF-3706-000000006F02}13284C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285152Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:51.434{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F663-62DF-3806-000000006F02}9632C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285151Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:51.434{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F663-62DF-3806-000000006F02}9632C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285150Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:51.434{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F663-62DF-3806-000000006F02}9632C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285149Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:51.434{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F663-62DF-3806-000000006F02}9632C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285148Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:51.412{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F662-62DF-3606-000000006F02}13240C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285147Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:51.412{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F663-62DF-3706-000000006F02}13284C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285146Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:51.412{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F663-62DF-3706-000000006F02}13284C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285145Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:51.412{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F663-62DF-3706-000000006F02}13284C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285144Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:51.412{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F663-62DF-3706-000000006F02}13284C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285143Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:51.396{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-F662-62DF-3006-000000006F02}13004C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285142Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:51.396{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-F662-62DF-3006-000000006F02}13004C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285141Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:51.396{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-F662-62DF-3006-000000006F02}13004C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285140Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:51.396{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F662-62DF-3606-000000006F02}13240C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285139Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:51.396{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-F662-62DF-3006-000000006F02}13004C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285138Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:51.381{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-F662-62DF-2E06-000000006F02}12932C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285137Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:51.381{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-F662-62DF-2E06-000000006F02}12932C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285136Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:51.381{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-F662-62DF-2E06-000000006F02}12932C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285135Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:51.381{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-F662-62DF-2E06-000000006F02}12932C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285134Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:51.381{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F662-62DF-3506-000000006F02}13196C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285133Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:51.365{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F662-62DF-3606-000000006F02}13240C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285132Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:51.365{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F662-62DF-3606-000000006F02}13240C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285131Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:51.365{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F662-62DF-3606-000000006F02}13240C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285130Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:51.365{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F662-62DF-3606-000000006F02}13240C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285129Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:51.365{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F662-62DF-3506-000000006F02}13196C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000285128Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:51.365{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AEFB1817D6B051CB6F843ECA96C1C2CF,SHA256=796DDF9E6D93E7D073F5718F38BB6D5F3CFBA5D6B28E0E97DA14BDF1B871AEAA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000285127Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:51.349{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F662-62DF-3406-000000006F02}13132C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285126Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:51.334{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F662-62DF-3406-000000006F02}13132C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285125Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:51.328{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F662-62DF-3506-000000006F02}13196C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285124Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:51.328{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F662-62DF-3506-000000006F02}13196C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285123Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:51.328{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F662-62DF-3506-000000006F02}13196C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285122Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:51.328{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F662-62DF-3506-000000006F02}13196C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285121Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:51.312{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-F663-62DF-3906-000000006F02}12768C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285120Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:51.281{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F662-62DF-3306-000000006F02}13100C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285119Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:51.265{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F662-62DF-3306-000000006F02}13100C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285118Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:51.265{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-F663-62DF-3806-000000006F02}9632C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285117Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:51.249{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F662-62DF-3406-000000006F02}13132C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285116Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:51.249{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F662-62DF-3406-000000006F02}13132C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285115Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:51.249{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F662-62DF-3406-000000006F02}13132C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285114Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:51.249{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F662-62DF-3406-000000006F02}13132C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285113Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:51.234{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-F662-62DF-2A06-000000006F02}12828C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285112Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:51.234{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-F662-62DF-2A06-000000006F02}12828C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285111Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:51.234{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-F662-62DF-2A06-000000006F02}12828C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285110Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:51.234{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-F662-62DF-2A06-000000006F02}12828C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285109Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:51.234{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285108Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:51.231{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F662-62DF-3006-000000006F02}13004C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285107Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:51.231{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285106Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:51.230{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285105Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:51.230{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000285104Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:51.230{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B327D80E55E0405C911E9AEED9AC10D1,SHA256=9BE190476ECD9760BB6936778F3510338A41F8A99245C1CD42257B95C8A0DE9A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000285103Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:51.212{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-F663-62DF-3706-000000006F02}13284C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285102Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:51.212{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F662-62DF-3306-000000006F02}13100C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285101Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:51.212{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F662-62DF-3306-000000006F02}13100C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285100Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:51.212{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F662-62DF-3306-000000006F02}13100C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285099Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:51.212{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F662-62DF-3306-000000006F02}13100C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285098Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:51.197{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-F662-62DF-2606-000000006F02}12720C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285097Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:51.197{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-F662-62DF-2606-000000006F02}12720C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285096Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:51.197{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-F662-62DF-2606-000000006F02}12720C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285095Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:51.197{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-F662-62DF-2606-000000006F02}12720C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285094Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:51.197{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F662-62DF-3006-000000006F02}13004C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285093Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:51.197{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-F662-62DF-3106-000000006F02}13032C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285092Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:51.197{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-F662-62DF-3106-000000006F02}13032C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285091Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:51.197{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-F662-62DF-3106-000000006F02}13032C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285090Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:51.197{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-F662-62DF-3106-000000006F02}13032C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285089Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:51.181{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F662-62DF-2E06-000000006F02}12932C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285088Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:51.181{F81F30E6-D97C-62DF-1500-000000006F02}12281712C:\Windows\System32\svchost.exe{F81F30E6-F663-62DF-3906-000000006F02}12768C:\Windows\system32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285087Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:51.181{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F663-62DF-3906-000000006F02}12768C:\Windows\system32\notepad.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285086Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:51.150{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-F662-62DF-3606-000000006F02}13240C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285085Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:51.150{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F662-62DF-2E06-000000006F02}12932C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285084Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:51.150{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285083Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:51.150{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285082Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:51.150{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285081Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:51.150{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285080Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:51.150{F81F30E6-D9BA-62DF-8100-000000006F02}388811560C:\Windows\system32\csrss.exe{F81F30E6-F663-62DF-3906-000000006F02}12768C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000285079Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:51.150{F81F30E6-F662-62DF-3106-000000006F02}1303213036C:\Windows\system32\cmd.exe{F81F30E6-F663-62DF-3906-000000006F02}12768C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8564|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000285078Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:51.155{F81F30E6-F663-62DF-3906-000000006F02}12768C:\Windows\System32\notepad.exe10.0.14393.4169 (rs1_release.210107-1130)NotepadMicrosoft® Windows® Operating SystemMicrosoft CorporationNOTEPAD.EXEnotepad.exe C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=BA78FCF8CA9D806C6C047357E31748DE,SHA256=34A07759492E31AEC2A009505FE8DFB50242375C4308AD4657B2872F4F75A077,IMPHASH=968239BE2020F1C0DAFFDCDBD49E9C82{F81F30E6-F662-62DF-3106-000000006F02}13032C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" " 10341000x8000000000000000285077Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:51.150{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F663-62DF-3906-000000006F02}12768C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285076Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:51.134{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F662-62DF-3006-000000006F02}13004C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285075Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:51.134{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F662-62DF-3006-000000006F02}13004C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285074Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:51.134{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F662-62DF-3006-000000006F02}13004C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285073Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:51.134{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F662-62DF-3006-000000006F02}13004C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285072Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:51.112{F81F30E6-D97C-62DF-1500-000000006F02}12281712C:\Windows\System32\svchost.exe{F81F30E6-F663-62DF-3806-000000006F02}9632C:\Windows\system32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285071Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:51.112{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F663-62DF-3806-000000006F02}9632C:\Windows\system32\notepad.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285070Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:51.097{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-F662-62DF-3506-000000006F02}13196C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285069Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:51.097{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F662-62DF-2A06-000000006F02}12828C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285068Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:51.081{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F662-62DF-2E06-000000006F02}12932C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285067Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:51.081{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F662-62DF-2E06-000000006F02}12932C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285066Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:51.081{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F662-62DF-2E06-000000006F02}12932C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285065Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:51.081{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F662-62DF-2E06-000000006F02}12932C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285064Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:51.081{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285063Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:51.081{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285062Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:51.081{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285061Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:51.081{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285060Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:51.081{F81F30E6-D9BA-62DF-8100-000000006F02}388811560C:\Windows\system32\csrss.exe{F81F30E6-F663-62DF-3806-000000006F02}9632C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000285059Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:51.081{F81F30E6-F662-62DF-2D06-000000006F02}1292412928C:\Windows\system32\cmd.exe{F81F30E6-F663-62DF-3806-000000006F02}9632C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8564|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000285058Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:51.089{F81F30E6-F663-62DF-3806-000000006F02}9632C:\Windows\System32\notepad.exe10.0.14393.4169 (rs1_release.210107-1130)NotepadMicrosoft® Windows® Operating SystemMicrosoft CorporationNOTEPAD.EXEnotepad.exe C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=BA78FCF8CA9D806C6C047357E31748DE,SHA256=34A07759492E31AEC2A009505FE8DFB50242375C4308AD4657B2872F4F75A077,IMPHASH=968239BE2020F1C0DAFFDCDBD49E9C82{F81F30E6-F662-62DF-2D06-000000006F02}12924C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" " 10341000x8000000000000000285057Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:51.081{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F663-62DF-3806-000000006F02}9632C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285056Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:51.065{F81F30E6-D97C-62DF-1500-000000006F02}12281712C:\Windows\System32\svchost.exe{F81F30E6-F663-62DF-3706-000000006F02}13284C:\Windows\system32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285055Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:51.065{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F663-62DF-3706-000000006F02}13284C:\Windows\system32\notepad.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285054Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:51.050{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F662-62DF-2A06-000000006F02}12828C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285053Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:51.034{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-F662-62DF-2D06-000000006F02}12924C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285052Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:51.034{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-F662-62DF-2D06-000000006F02}12924C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285051Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:51.034{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-F662-62DF-2D06-000000006F02}12924C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285050Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:51.034{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-F662-62DF-2D06-000000006F02}12924C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285049Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:51.034{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285048Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:51.034{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285047Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:51.034{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285046Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:51.034{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285045Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:51.034{F81F30E6-D9BA-62DF-8100-000000006F02}388811560C:\Windows\system32\csrss.exe{F81F30E6-F663-62DF-3706-000000006F02}13284C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000285044Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:51.034{F81F30E6-F662-62DF-2B06-000000006F02}1286812872C:\Windows\system32\cmd.exe{F81F30E6-F663-62DF-3706-000000006F02}13284C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8564|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000285043Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:51.035{F81F30E6-F663-62DF-3706-000000006F02}13284C:\Windows\System32\notepad.exe10.0.14393.4169 (rs1_release.210107-1130)NotepadMicrosoft® Windows® Operating SystemMicrosoft CorporationNOTEPAD.EXEnotepad.exe C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=BA78FCF8CA9D806C6C047357E31748DE,SHA256=34A07759492E31AEC2A009505FE8DFB50242375C4308AD4657B2872F4F75A077,IMPHASH=968239BE2020F1C0DAFFDCDBD49E9C82{F81F30E6-F662-62DF-2B06-000000006F02}12868C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" " 10341000x8000000000000000285042Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:51.034{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-F662-62DF-2206-000000006F02}12620C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285041Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:51.034{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F663-62DF-3706-000000006F02}13284C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285040Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:51.034{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-F662-62DF-2206-000000006F02}12620C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285039Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:51.034{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-F662-62DF-2206-000000006F02}12620C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285038Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:51.033{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-F662-62DF-2206-000000006F02}12620C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285037Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:51.012{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F662-62DF-2606-000000006F02}12720C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285036Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:51.012{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-F662-62DF-3406-000000006F02}13132C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285035Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.997{F81F30E6-D97C-62DF-1500-000000006F02}12281712C:\Windows\System32\svchost.exe{F81F30E6-F662-62DF-3606-000000006F02}13240C:\Windows\system32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285034Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.997{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F662-62DF-3606-000000006F02}13240C:\Windows\system32\notepad.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285033Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.997{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-F662-62DF-2B06-000000006F02}12868C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285032Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.997{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-F662-62DF-2B06-000000006F02}12868C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285031Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.997{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-F662-62DF-2B06-000000006F02}12868C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285030Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.997{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F662-62DF-2A06-000000006F02}12828C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285029Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.997{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F662-62DF-2A06-000000006F02}12828C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285028Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.997{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F662-62DF-2A06-000000006F02}12828C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285027Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.997{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-F662-62DF-2B06-000000006F02}12868C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285026Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.997{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F662-62DF-2A06-000000006F02}12828C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285025Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.997{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F662-62DF-3206-000000006F02}13040C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000285024Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:50.997{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33BEE0FD95FA9CA05CB713C6EDDC5C42,SHA256=40D9867691142448507F647C2D47395C56575812B065D34C1B8D5F3CB836A597,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055175Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:12:52.982{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9EC918B95F22A6E2322F67F0203F5248,SHA256=F0500CE2F995D1292B300131D39E829998FA70DB6FE7EC61DB938BB1ACB2124C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000285206Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:52.664{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285205Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:52.664{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285204Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:52.664{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285203Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:52.664{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285202Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:52.664{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285201Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:52.664{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285200Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:52.664{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285199Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:52.664{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000285198Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:52.350{F81F30E6-D98A-62DF-2900-000000006F02}2592NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f0cc84e036a5373b\channels\health\respondent-20220726120948-119MD5=369DD308E953FB115558C25A87FA7436,SHA256=F8D888C61BEF90997E9DA9024DED7AC04FA2757575784335A529296D09245F18,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000055176Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:12:52.287{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal51157-false10.0.1.12-8000- 23542300x8000000000000000285208Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:53.364{F81F30E6-D98A-62DF-2900-000000006F02}2592NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f0cc84e036a5373b\channels\health\surveyor-20220726120946-120MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285207Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:53.048{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79AA03E542482AA400FECC5948F3426D,SHA256=ED45F878DA304DB230C159E586EA8E91D274A490DD184497364742A01160640B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055177Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:12:54.075{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8235F5638D7B0699C1A058A2CCE245CE,SHA256=EB25FE2D63730527909786F9BABA5E0F3A7211002EF3FDAC6FE9F2DBC62348B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285209Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:54.066{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32CF4A31E1CF9077A0F3E54E2A310F99,SHA256=AB07131A2AC6862C5DDACA5ECC2F69CBBBFB1379D4646AA68FF0410820633FE4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055178Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:12:55.169{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B9744062D6F999C652D6F0387515FD8,SHA256=147CD5F7514F7230C7E1FB8AC8DFC53F3AE2982972C052E91B6EAE2B90967799,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000285270Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:55.983{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F667-62DF-3C06-000000006F02}13448C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285269Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:55.983{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F667-62DF-3C06-000000006F02}13448C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285268Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:55.983{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F667-62DF-3C06-000000006F02}13448C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285267Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:55.967{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F667-62DF-3C06-000000006F02}13448C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285266Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:55.967{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F667-62DF-3C06-000000006F02}13448C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285265Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:55.967{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-F667-62DF-3C06-000000006F02}13448C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285264Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:55.967{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-F667-62DF-3C06-000000006F02}13448C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285263Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:55.967{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-F667-62DF-3C06-000000006F02}13448C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285262Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:55.967{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-F667-62DF-3C06-000000006F02}13448C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285261Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:55.967{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-F667-62DF-3C06-000000006F02}13448C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285260Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:55.967{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F667-62DF-3C06-000000006F02}13448C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285259Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:55.967{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F667-62DF-3C06-000000006F02}13448C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285258Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:55.967{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F667-62DF-3C06-000000006F02}13448C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285257Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:55.967{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F667-62DF-3C06-000000006F02}13448C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285256Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:55.936{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-F667-62DF-3C06-000000006F02}13448C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285255Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:55.936{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285254Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:55.935{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285253Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:55.935{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285252Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:55.935{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285251Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:55.914{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285250Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:55.914{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285249Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:55.914{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285248Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:55.914{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285247Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:55.914{F81F30E6-D97C-62DF-1500-000000006F02}12281712C:\Windows\System32\svchost.exe{F81F30E6-F667-62DF-3C06-000000006F02}13448C:\Windows\system32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285246Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:55.914{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F667-62DF-3C06-000000006F02}13448C:\Windows\system32\notepad.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285245Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:55.899{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285244Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:55.899{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285243Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:55.899{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285242Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:55.899{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285241Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:55.899{F81F30E6-D9BA-62DF-8100-000000006F02}38884516C:\Windows\system32\csrss.exe{F81F30E6-F667-62DF-3C06-000000006F02}13448C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000285240Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:55.899{F81F30E6-F667-62DF-3A06-000000006F02}1339613400C:\Windows\system32\cmd.exe{F81F30E6-F667-62DF-3C06-000000006F02}13448C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8564|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000285239Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:55.903{F81F30E6-F667-62DF-3C06-000000006F02}13448C:\Windows\System32\notepad.exe10.0.14393.4169 (rs1_release.210107-1130)NotepadMicrosoft® Windows® Operating SystemMicrosoft CorporationNOTEPAD.EXEnotepad.exe C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=BA78FCF8CA9D806C6C047357E31748DE,SHA256=34A07759492E31AEC2A009505FE8DFB50242375C4308AD4657B2872F4F75A077,IMPHASH=968239BE2020F1C0DAFFDCDBD49E9C82{F81F30E6-F667-62DF-3A06-000000006F02}13396C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" " 10341000x8000000000000000285238Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:55.899{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F667-62DF-3C06-000000006F02}13448C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285237Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:55.883{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F667-62DF-3A06-000000006F02}13396C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285236Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:55.883{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F667-62DF-3A06-000000006F02}13396C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285235Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:55.883{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F667-62DF-3A06-000000006F02}13396C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285234Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:55.883{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F667-62DF-3B06-000000006F02}13404C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285233Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:55.883{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F667-62DF-3B06-000000006F02}13404C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285232Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:55.867{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-F667-62DF-3A06-000000006F02}13396C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285231Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:55.867{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-F667-62DF-3A06-000000006F02}13396C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285230Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:55.867{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-F667-62DF-3A06-000000006F02}13396C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285229Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:55.867{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-F667-62DF-3A06-000000006F02}13396C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285228Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:55.867{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-F667-62DF-3A06-000000006F02}13396C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285227Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:55.867{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F667-62DF-3B06-000000006F02}13404C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285226Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:55.867{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F667-62DF-3B06-000000006F02}13404C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285225Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:55.867{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F667-62DF-3B06-000000006F02}13404C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285224Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:55.867{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F667-62DF-3B06-000000006F02}13404C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285223Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:55.852{F81F30E6-D97C-62DF-1500-000000006F02}12281712C:\Windows\System32\svchost.exe{F81F30E6-F667-62DF-3B06-000000006F02}13404C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285222Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:55.852{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F667-62DF-3B06-000000006F02}13404C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285221Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:55.852{F81F30E6-F667-62DF-3B06-000000006F02}1340413424C:\Windows\system32\conhost.exe{F81F30E6-F667-62DF-3A06-000000006F02}13396C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285220Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:55.836{F81F30E6-D9BA-62DF-8100-000000006F02}388811560C:\Windows\system32\csrss.exe{F81F30E6-F667-62DF-3B06-000000006F02}13404C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000285219Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:55.836{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F667-62DF-3B06-000000006F02}13404C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285218Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:55.836{F81F30E6-D9BA-62DF-8100-000000006F02}38884056C:\Windows\system32\csrss.exe{F81F30E6-F667-62DF-3A06-000000006F02}13396C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000285217Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:55.836{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285216Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:55.836{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285215Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:55.836{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285214Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:55.836{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285213Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:55.836{F81F30E6-F163-62DF-1F04-000000006F02}226413392C:\Temp\dcrat.exe{F81F30E6-F667-62DF-3A06-000000006F02}13396C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\System32\windows.storage.dll+16e7eb|C:\Windows\System32\windows.storage.dll+16e501|C:\Windows\System32\windows.storage.dll+16e14e|C:\Windows\System32\windows.storage.dll+16f3f0|C:\Windows\System32\windows.storage.dll+16de9e|C:\Windows\System32\windows.storage.dll+fce6d|C:\Windows\System32\windows.storage.dll+fd5ac|C:\Windows\System32\windows.storage.dll+fc910|C:\Windows\System32\shell32.dll+49cdf|C:\Windows\System32\shell32.dll+49b6c|C:\Windows\System32\shell32.dll+498bc|C:\Windows\System32\shell32.dll+10d2c7|C:\Windows\System32\shell32.dll+10d225|UNKNOWN(00007FF984B29B5F) 154100x8000000000000000285212Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:55.839{F81F30E6-F667-62DF-3A06-000000006F02}13396C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" "C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe"C:\Temp\dcrat.exe" 10341000x8000000000000000285211Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:55.836{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F667-62DF-3A06-000000006F02}13396C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000285210Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:55.168{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=639467066F1F2F7E81AD006EFF3FA252,SHA256=6B98C926FFC296EAC5CDC0D97E36A270CE5555DB3E5CFBD307F1433BCD339FDC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285274Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:56.966{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DB1AFE7115E9578504E3F0871ABF8FDD,SHA256=F4A9710CEB2EC4A59DDD15E729C4BFA2A20926AF5841BED24351F739D240510E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000285273Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:54.227{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local65118-false10.0.1.12-8000- 23542300x8000000000000000285272Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:56.414{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4312D57C1F357BE4850EAFE684483684,SHA256=83305F0D971958960196027045ABA1839E969E3A1867B09878897FF0302C1AE2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285271Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:56.414{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B37BD36A9624EBA25E5BD8134572EBD5,SHA256=8004140A9658E6E8271E790F2DF0739084BA34A1E94D88B8368EFC9CB3388BA6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055179Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:12:56.263{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5D0A973C27111B0B6B549CA5B9CA3E0,SHA256=C5938AD7B1B29F81A1BB63D1CCA117FBEC41484AC6468EE09BF74969B636BA5A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285283Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:57.533{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9F8E5F4980D78B9F4BF3C5A221F926F,SHA256=66FFD0872002769336F759E5ABFFA6460EA5120E6D5466DC36017AF5B7027053,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055180Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:12:57.356{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0EB15B92A56C5D57ACEB46FB204CD021,SHA256=BF2B2128C00F1AD909952DE1FCFDAC92CF9908200FE837CF4A7758F135298188,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000285282Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:57.297{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285281Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:57.297{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285280Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:57.297{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285279Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:57.297{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285278Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:57.297{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285277Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:57.297{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285276Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:57.297{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285275Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:57.297{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000285284Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:58.565{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE06278A1905500923DED92D826AAB78,SHA256=2A1FB6D944E2F84C7AC74A5FB003A59D55961B71B2F26C27D383817DF7422B90,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000055182Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:12:57.318{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal51158-false10.0.1.12-8000- 23542300x800000000000000055181Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:12:58.450{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=099C6E82C3E1171D3DEDC3540803DC29,SHA256=8C51C1DE70023A395848F70DA998D8D2533D1D18FA273BF7E2552E57BD667CBE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285285Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:59.595{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35A7EA2F932F9F152A0DD40B6D4B1FAA,SHA256=F4EEF05524DEFB58FA8E4F13BD5A3750A9FD18A0C17613BDEDB1FF1C5459598F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055183Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:12:59.544{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A6DEB2AA3F8CDF10E8D6E71774F90F1,SHA256=E8456172B904DA54641A37C1EF9089CC8458C3B0C42F032F2F28B3A4FB01F97E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000285346Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:13:00.962{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F66C-62DF-3F06-000000006F02}13568C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285345Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:13:00.962{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F66C-62DF-3F06-000000006F02}13568C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285344Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:13:00.962{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F66C-62DF-3F06-000000006F02}13568C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285343Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:13:00.962{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F66C-62DF-3F06-000000006F02}13568C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285342Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:13:00.947{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F66C-62DF-3F06-000000006F02}13568C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285341Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:13:00.947{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-F66C-62DF-3F06-000000006F02}13568C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285340Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:13:00.947{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-F66C-62DF-3F06-000000006F02}13568C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285339Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:13:00.947{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-F66C-62DF-3F06-000000006F02}13568C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000055184Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:13:00.638{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4F16A2DADC82C1732187E47044DCFE0,SHA256=D42647F62DC3C5E3658DDEB0DFFA696BB6B102AD14CD92BC0DA648B8A40DA311,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000285338Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:13:00.947{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-F66C-62DF-3F06-000000006F02}13568C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285337Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:13:00.947{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-F66C-62DF-3F06-000000006F02}13568C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285336Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:13:00.947{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F66C-62DF-3F06-000000006F02}13568C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285335Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:13:00.947{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F66C-62DF-3F06-000000006F02}13568C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285334Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:13:00.947{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F66C-62DF-3F06-000000006F02}13568C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285333Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:13:00.947{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F66C-62DF-3F06-000000006F02}13568C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285332Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:13:00.931{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-F66C-62DF-3F06-000000006F02}13568C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285331Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:13:00.909{F81F30E6-D97C-62DF-1500-000000006F02}12281712C:\Windows\System32\svchost.exe{F81F30E6-F66C-62DF-3F06-000000006F02}13568C:\Windows\system32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285330Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:13:00.909{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F66C-62DF-3F06-000000006F02}13568C:\Windows\system32\notepad.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285329Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:13:00.894{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285328Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:13:00.894{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285327Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:13:00.894{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285326Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:13:00.894{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285325Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:13:00.894{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285324Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:13:00.894{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285323Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:13:00.894{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285322Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:13:00.894{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285321Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:13:00.894{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285320Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:13:00.894{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285319Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:13:00.894{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285318Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:13:00.894{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285317Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:13:00.894{F81F30E6-D9BA-62DF-8100-000000006F02}38882172C:\Windows\system32\csrss.exe{F81F30E6-F66C-62DF-3F06-000000006F02}13568C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000285316Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:13:00.894{F81F30E6-F66C-62DF-3D06-000000006F02}1352013524C:\Windows\system32\cmd.exe{F81F30E6-F66C-62DF-3F06-000000006F02}13568C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8564|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000285315Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:13:00.897{F81F30E6-F66C-62DF-3F06-000000006F02}13568C:\Windows\System32\notepad.exe10.0.14393.4169 (rs1_release.210107-1130)NotepadMicrosoft® Windows® Operating SystemMicrosoft CorporationNOTEPAD.EXEnotepad.exe C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=BA78FCF8CA9D806C6C047357E31748DE,SHA256=34A07759492E31AEC2A009505FE8DFB50242375C4308AD4657B2872F4F75A077,IMPHASH=968239BE2020F1C0DAFFDCDBD49E9C82{F81F30E6-F66C-62DF-3D06-000000006F02}13520C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" " 10341000x8000000000000000285314Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:13:00.894{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F66C-62DF-3F06-000000006F02}13568C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285313Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:13:00.878{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F66C-62DF-3D06-000000006F02}13520C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285312Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:13:00.878{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F66C-62DF-3D06-000000006F02}13520C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285311Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:13:00.878{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F66C-62DF-3D06-000000006F02}13520C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285310Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:13:00.862{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F66C-62DF-3E06-000000006F02}13528C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285309Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:13:00.862{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F66C-62DF-3E06-000000006F02}13528C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285308Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:13:00.862{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-F66C-62DF-3D06-000000006F02}13520C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285307Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:13:00.862{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-F66C-62DF-3D06-000000006F02}13520C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285306Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:13:00.862{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-F66C-62DF-3D06-000000006F02}13520C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285305Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:13:00.862{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-F66C-62DF-3D06-000000006F02}13520C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285304Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:13:00.862{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-F66C-62DF-3D06-000000006F02}13520C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285303Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:13:00.862{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F66C-62DF-3E06-000000006F02}13528C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285302Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:13:00.862{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F66C-62DF-3E06-000000006F02}13528C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285301Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:13:00.862{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F66C-62DF-3E06-000000006F02}13528C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285300Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:13:00.862{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F66C-62DF-3E06-000000006F02}13528C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285299Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:13:00.847{F81F30E6-D97C-62DF-1500-000000006F02}12281712C:\Windows\System32\svchost.exe{F81F30E6-F66C-62DF-3E06-000000006F02}13528C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285298Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:13:00.847{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F66C-62DF-3E06-000000006F02}13528C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285297Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:13:00.831{F81F30E6-F66C-62DF-3E06-000000006F02}1352813548C:\Windows\system32\conhost.exe{F81F30E6-F66C-62DF-3D06-000000006F02}13520C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285296Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:13:00.831{F81F30E6-D9BA-62DF-8100-000000006F02}38884056C:\Windows\system32\csrss.exe{F81F30E6-F66C-62DF-3E06-000000006F02}13528C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000285295Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:13:00.831{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F66C-62DF-3E06-000000006F02}13528C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285294Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:13:00.831{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285293Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:13:00.831{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285292Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:13:00.831{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285291Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:13:00.831{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285290Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:13:00.831{F81F30E6-D9BA-62DF-8100-000000006F02}388811560C:\Windows\system32\csrss.exe{F81F30E6-F66C-62DF-3D06-000000006F02}13520C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000285289Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:13:00.831{F81F30E6-F163-62DF-1F04-000000006F02}226413516C:\Temp\dcrat.exe{F81F30E6-F66C-62DF-3D06-000000006F02}13520C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\System32\windows.storage.dll+16e7eb|C:\Windows\System32\windows.storage.dll+16e501|C:\Windows\System32\windows.storage.dll+16e14e|C:\Windows\System32\windows.storage.dll+16f3f0|C:\Windows\System32\windows.storage.dll+16de9e|C:\Windows\System32\windows.storage.dll+fce6d|C:\Windows\System32\windows.storage.dll+fd5ac|C:\Windows\System32\windows.storage.dll+fc910|C:\Windows\System32\shell32.dll+49cdf|C:\Windows\System32\shell32.dll+49b6c|C:\Windows\System32\shell32.dll+498bc|C:\Windows\System32\shell32.dll+10d2c7|C:\Windows\System32\shell32.dll+10d225|UNKNOWN(00007FF984B29B5F) 154100x8000000000000000285288Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:13:00.830{F81F30E6-F66C-62DF-3D06-000000006F02}13520C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" "C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe"C:\Temp\dcrat.exe" 10341000x8000000000000000285287Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:13:00.830{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F66C-62DF-3D06-000000006F02}13520C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000285286Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:13:00.647{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=458FB38E450E419AF3611A5A1CD831BE,SHA256=8BECD2C4C6AE6606D79699939FF5BA2FD8263EE5D3C7159C1E7DDC5EAFACED7D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055185Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:13:01.731{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55F48B7626989A7DD15C5310C1B87E4B,SHA256=A97BAAC7BB6F6E60CD3D703FBBB33AFC5C2BCBE5FF54FFE671BA0DC3F8B360CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285350Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:13:01.825{F81F30E6-D98A-62DF-2E00-000000006F02}2780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=4CFDDBE5FFEB041E7F174B2F45091502,SHA256=20064E8AB1AA1CC8FDFF9BB7913442DA2E160A2F21316E9966B50303AD02C49C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285349Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:13:01.678{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DDFD348116A9EBA740EC3C2FA4C89885,SHA256=BB4245C89902EBCB9DBCE8F16B2D9400608EE5E1A5A08EF31A3654D23638F8C3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000285348Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:12:59.275{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local65119-false10.0.1.12-8000- 23542300x8000000000000000285347Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:13:01.046{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=152558FBD5FAE143CB9CADF35357289D,SHA256=87D81531B39248EC20DBADAEE0A1CC6DA279EB92E8C032AD4EB7B7A5C953680A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055186Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:13:02.825{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02A560D25F114E136C729F460F6FBAB1,SHA256=9094B8A6559ABB37EC1FF9D79CF7F2B278FB231BBEC84F135395CF07303D889C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285359Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:13:02.728{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0EC69276336A36185FD6B60D02E562FD,SHA256=A52FD78262203F189D59C05F556EA966C9DB3B24E244F77A21D41701E1C20C9B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000285358Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:13:02.177{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285357Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:13:02.177{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285356Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:13:02.177{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285355Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:13:02.177{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285354Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:13:02.177{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285353Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:13:02.177{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285352Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:13:02.177{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285351Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:13:02.177{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000055187Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:13:03.919{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE94C48315062BB1C1A03525BA6F0884,SHA256=092369DA4CBD4D7DB47103FF43C92FEFBC19C5EF26BF98821D9727D075F825E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285361Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:13:03.863{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9D1C33140C8D02B73100B552C68D51B5,SHA256=30400C1CC9D8BECF427DF3C2F55D38042B21AD2BDDF921C0A5034CF51A1AA57A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285360Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:13:03.828{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6ED27B9D6C15DBDEAE65C46DF8C1BE53,SHA256=8AD214B761E8090025C3C54BE174A826D61A4DC748D8BB2C2067DA4AB2F59CC6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285364Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:13:04.863{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04E2897048AA0109F8EC378382469018,SHA256=01BF19C3923FB7627139B19BE357311A2828CB9B40062353FCAD5E09D4DEE70B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000285363Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:13:01.820{F81F30E6-D97A-62DF-0B00-000000006F02}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local65120-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local389ldap 354300x8000000000000000285362Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:13:01.820{F81F30E6-D98A-62DF-2600-000000006F02}2568C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local65120-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local389ldap 23542300x8000000000000000285365Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:13:05.894{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=474E59CCCA39934EEC926F78641E4BED,SHA256=0E547CC2537341F6DC15D7083CD975F07AE325002CC32D53F9B98DAAF95ADCAA,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000055189Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:13:03.114{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal51159-false10.0.1.12-8000- 23542300x800000000000000055188Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:13:05.013{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=643093CDDB1FB566DFE62D26C39C9EC2,SHA256=485FAC4D29C418F5C129A124895742FA95C13E41F69461CE46386D97FEF1F080,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285368Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:13:06.945{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=346522362D5073D9C5A97FC503FDC35F,SHA256=F8EB69922154CC75AD6FC8275ABEF1B8219F06190717D83EF1EB0FD373979EBF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055190Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:13:06.106{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF2BC40FA929A15C89BE5899395EAC2E,SHA256=651AA715E64DC81CDD3D330C10205B9E526D2C8AB335399120228CC4B0B03B9A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000285367Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:13:06.892{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285366Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:13:06.892{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000285370Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:13:07.991{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE08C3B828E823A1B1947C3DC9751DD8,SHA256=EB3F060EDE7ED3138D36C3CD2C7285E7866BD5003524D62154BF935B33BEB0E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055191Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:13:07.200{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8FFF19CF26EF50C6544316887311535F,SHA256=0AD2D995E408E8CDD64A56D13B8235CD2F8846EBD803E053C588E3F5427C0B41,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000285369Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:13:05.106{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local65121-false10.0.1.12-8000- 23542300x800000000000000055192Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:13:08.294{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DDC600C3CE9F8190F1F28370A5F007EF,SHA256=4FCC3352E84324B8C43EAD68486FFB8B9E243967A12E68DB74BD00D34A5E2674,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000285374Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:13:08.591{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285373Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:13:08.591{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285372Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:13:08.223{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285371Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:13:08.223{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000055193Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:13:09.388{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33BECF844E15916C783B8D0D2F7ACE18,SHA256=01B07A74E3FE355FDC83AA4B5B97A62AD44DA8FECE95EDD287A03E3101B3ED77,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285375Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:13:09.025{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72538B3D28BB350C1141586D552BF862,SHA256=E0A498C8B85FBAA8DC34779540B956BAAB5E77591C2F372B33D9D7D657B8D7DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055195Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:13:10.481{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=672A74E8CD6A809E2707C657D94D0CD4,SHA256=6B984EF6C61C3F849B1A01265198D44C715A3C00F72127E8D0BA83B75DB90436,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285376Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:13:10.074{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3AF0DB619B8BFD541C35D6F6627257F3,SHA256=C35BB316FBF5E7B3916A11AED5B9993B86894129E22F3BB4CFDA9C5A76DE4786,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000055194Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:13:08.333{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal51160-false10.0.1.12-8000- 23542300x800000000000000055196Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:13:11.575{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA3E0B216EAB7AFBE556F0AAC78321A6,SHA256=2D9DB2E86323A3C096D16FBA640F55F54993C602A4C65C6BDE4CDB3D91FD7B6B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000285404Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:13:11.972{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F677-62DF-4006-000000006F02}13672C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285403Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:13:11.972{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F677-62DF-4006-000000006F02}13672C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285402Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:13:11.972{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F677-62DF-4006-000000006F02}13672C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285401Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:13:11.941{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F677-62DF-4106-000000006F02}13680C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285400Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:13:11.941{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F677-62DF-4106-000000006F02}13680C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285399Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:13:11.925{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-F677-62DF-4006-000000006F02}13672C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285398Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:13:11.925{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F677-62DF-4006-000000006F02}13672C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285397Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:13:11.925{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F677-62DF-4006-000000006F02}13672C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285396Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:13:11.925{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F677-62DF-4006-000000006F02}13672C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285395Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:13:11.925{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F677-62DF-4006-000000006F02}13672C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285394Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:13:11.925{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F677-62DF-4106-000000006F02}13680C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285393Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:13:11.925{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F677-62DF-4106-000000006F02}13680C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285392Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:13:11.925{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F677-62DF-4106-000000006F02}13680C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285391Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:13:11.925{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F677-62DF-4106-000000006F02}13680C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285390Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:13:11.903{F81F30E6-D97C-62DF-1500-000000006F02}12281712C:\Windows\System32\svchost.exe{F81F30E6-F677-62DF-4106-000000006F02}13680C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285389Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:13:11.903{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F677-62DF-4106-000000006F02}13680C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285388Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:13:11.903{F81F30E6-F677-62DF-4106-000000006F02}1368013700C:\Windows\system32\conhost.exe{F81F30E6-F677-62DF-4006-000000006F02}13672C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285387Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:13:11.903{F81F30E6-D9BA-62DF-8100-000000006F02}38882172C:\Windows\system32\csrss.exe{F81F30E6-F677-62DF-4106-000000006F02}13680C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000285386Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:13:11.888{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F677-62DF-4106-000000006F02}13680C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285385Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:13:11.888{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285384Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:13:11.888{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285383Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:13:11.888{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285382Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:13:11.888{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285381Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:13:11.888{F81F30E6-D9BA-62DF-8100-000000006F02}388811560C:\Windows\system32\csrss.exe{F81F30E6-F677-62DF-4006-000000006F02}13672C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000285380Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:13:11.888{F81F30E6-F163-62DF-1F04-000000006F02}226413664C:\Temp\dcrat.exe{F81F30E6-F677-62DF-4006-000000006F02}13672C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\System32\windows.storage.dll+16e7eb|C:\Windows\System32\windows.storage.dll+16e501|C:\Windows\System32\windows.storage.dll+16e14e|C:\Windows\System32\windows.storage.dll+16f3f0|C:\Windows\System32\windows.storage.dll+16de9e|C:\Windows\System32\windows.storage.dll+fce6d|C:\Windows\System32\windows.storage.dll+fd5ac|C:\Windows\System32\windows.storage.dll+fc910|C:\Windows\System32\shell32.dll+49cdf|C:\Windows\System32\shell32.dll+49b6c|C:\Windows\System32\shell32.dll+498bc|C:\Windows\System32\shell32.dll+10d2c7|C:\Windows\System32\shell32.dll+10d225|UNKNOWN(00007FF984B29B5F) 154100x8000000000000000285379Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:13:11.899{F81F30E6-F677-62DF-4006-000000006F02}13672C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" "C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe"C:\Temp\dcrat.exe" 10341000x8000000000000000285378Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:13:11.888{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F677-62DF-4006-000000006F02}13672C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000285377Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:13:11.204{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11C19901561209D3D9412D540A02CB26,SHA256=46717155AF97C3B8E12DA40DB778D4A68620696B89E05791C6086F52CFCD9EB9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055224Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:13:12.950{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7EABCCAB95EF0EE1444C9E5040F46456,SHA256=71E7579A0D898738EC1C74E30B40F456DD9E62C1489FE7794299EAFB831A6721,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285430Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:13:12.456{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D51724A0AF2EA6B47A8AC60A83F8C2F4,SHA256=56FB9B865B09E98265D2DB8B40C254BC85D618301302DB05F97B9F09B048E72F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000055223Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:13:12.575{53069400-D97E-62DF-2900-000000007002}27802800C:\Windows\system32\conhost.exe{53069400-F678-62DF-DB03-000000007002}1992C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055222Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:13:12.575{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055221Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:13:12.575{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055220Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:13:12.575{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055219Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:13:12.575{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055218Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:13:12.575{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055217Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:13:12.575{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055216Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:13:12.575{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055215Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:13:12.575{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055214Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:13:12.575{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055213Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:13:12.575{53069400-D97C-62DF-0500-000000007002}412540C:\Windows\system32\csrss.exe{53069400-F678-62DF-DB03-000000007002}1992C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000055212Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:13:12.575{53069400-D97D-62DF-1E00-000000007002}19402768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53069400-F678-62DF-DB03-000000007002}1992C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000055211Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:13:12.576{53069400-F678-62DF-DB03-000000007002}1992C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53069400-D97C-62DF-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000055210Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:13:12.309{53069400-F678-62DF-DA03-000000007002}1620380C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055209Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:13:12.075{53069400-D97E-62DF-2900-000000007002}27802800C:\Windows\system32\conhost.exe{53069400-F678-62DF-DA03-000000007002}1620C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055208Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:13:12.075{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055207Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:13:12.075{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055206Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:13:12.075{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055205Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:13:12.075{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055204Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:13:12.075{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055203Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:13:12.075{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055202Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:13:12.075{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055201Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:13:12.075{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055200Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:13:12.075{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055199Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:13:12.075{53069400-D97C-62DF-0500-000000007002}412540C:\Windows\system32\csrss.exe{53069400-F678-62DF-DA03-000000007002}1620C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000055198Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:13:12.075{53069400-D97D-62DF-1E00-000000007002}19402768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53069400-F678-62DF-DA03-000000007002}1620C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000055197Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:13:12.076{53069400-F678-62DF-DA03-000000007002}1620C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53069400-D97C-62DF-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000285429Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:13:12.103{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F678-62DF-4206-000000006F02}13724C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285428Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:13:12.103{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F678-62DF-4206-000000006F02}13724C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285427Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:13:12.103{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F678-62DF-4206-000000006F02}13724C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285426Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:13:12.088{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F678-62DF-4206-000000006F02}13724C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285425Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:13:12.088{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F678-62DF-4206-000000006F02}13724C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285424Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:13:12.088{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-F678-62DF-4206-000000006F02}13724C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285423Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:13:12.072{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F678-62DF-4206-000000006F02}13724C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285422Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:13:12.072{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F678-62DF-4206-000000006F02}13724C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285421Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:13:12.072{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F678-62DF-4206-000000006F02}13724C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285420Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:13:12.072{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F678-62DF-4206-000000006F02}13724C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285419Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:13:12.072{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F678-62DF-4206-000000006F02}13724C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285418Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:13:12.072{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F678-62DF-4206-000000006F02}13724C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285417Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:13:12.072{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F678-62DF-4206-000000006F02}13724C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285416Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:13:12.072{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F678-62DF-4206-000000006F02}13724C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285415Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:13:12.041{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-F678-62DF-4206-000000006F02}13724C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285414Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:13:12.023{F81F30E6-D97C-62DF-1500-000000006F02}12281712C:\Windows\System32\svchost.exe{F81F30E6-F678-62DF-4206-000000006F02}13724C:\Windows\system32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285413Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:13:12.023{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F678-62DF-4206-000000006F02}13724C:\Windows\system32\notepad.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285412Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:13:12.003{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285411Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:13:12.003{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285410Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:13:12.003{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285409Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:13:12.003{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285408Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:13:12.003{F81F30E6-D9BA-62DF-8100-000000006F02}388811560C:\Windows\system32\csrss.exe{F81F30E6-F678-62DF-4206-000000006F02}13724C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000285407Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:13:12.003{F81F30E6-F677-62DF-4006-000000006F02}1367213676C:\Windows\system32\cmd.exe{F81F30E6-F678-62DF-4206-000000006F02}13724C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8564|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000285406Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:13:12.005{F81F30E6-F678-62DF-4206-000000006F02}13724C:\Windows\System32\notepad.exe10.0.14393.4169 (rs1_release.210107-1130)NotepadMicrosoft® Windows® Operating SystemMicrosoft CorporationNOTEPAD.EXEnotepad.exe C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=BA78FCF8CA9D806C6C047357E31748DE,SHA256=34A07759492E31AEC2A009505FE8DFB50242375C4308AD4657B2872F4F75A077,IMPHASH=968239BE2020F1C0DAFFDCDBD49E9C82{F81F30E6-F677-62DF-4006-000000006F02}13672C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" " 10341000x8000000000000000285405Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:13:12.003{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F678-62DF-4206-000000006F02}13724C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000285441Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:13:11.154{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local65122-false10.0.1.12-8000- 23542300x8000000000000000285440Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:13:13.522{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C60F3B9ACB15BC51F68FF3F9B84D232E,SHA256=C7E970977AC5238B3617F3FB50954C037A6C3ECF85A194EC9A4F3869C011163F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000055252Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:13:13.903{53069400-F679-62DF-DD03-000000007002}21801316C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055251Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:13:13.763{53069400-D97E-62DF-2900-000000007002}27802800C:\Windows\system32\conhost.exe{53069400-F679-62DF-DD03-000000007002}2180C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055250Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:13:13.763{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055249Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:13:13.763{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055248Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:13:13.763{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055247Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:13:13.763{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055246Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:13:13.763{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055245Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:13:13.763{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055244Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:13:13.763{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055243Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:13:13.763{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055242Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:13:13.763{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055241Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:13:13.763{53069400-D97C-62DF-0500-000000007002}4121248C:\Windows\system32\csrss.exe{53069400-F679-62DF-DD03-000000007002}2180C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000055240Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:13:13.763{53069400-D97D-62DF-1E00-000000007002}19402768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53069400-F679-62DF-DD03-000000007002}2180C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000055239Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:13:13.763{53069400-F679-62DF-DD03-000000007002}2180C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53069400-D97C-62DF-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000055238Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:13:13.200{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=32DB34E689747F8DD769BBB3A7E1C73A,SHA256=367989D7D2164667C9599A8B2AC8F9A18E1A76E2D17C55DD244A5D998A7A427E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000055237Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:13:13.091{53069400-D97E-62DF-2900-000000007002}27802800C:\Windows\system32\conhost.exe{53069400-F679-62DF-DC03-000000007002}1756C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055236Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:13:13.091{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055235Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:13:13.091{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055234Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:13:13.091{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055233Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:13:13.091{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055232Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:13:13.091{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055231Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:13:13.091{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055230Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:13:13.091{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055229Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:13:13.091{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055228Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:13:13.091{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055227Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:13:13.091{53069400-D97C-62DF-0500-000000007002}412540C:\Windows\system32\csrss.exe{53069400-F679-62DF-DC03-000000007002}1756C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000055226Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:13:13.091{53069400-D97D-62DF-1E00-000000007002}19402768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53069400-F679-62DF-DC03-000000007002}1756C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000055225Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:13:13.092{53069400-F679-62DF-DC03-000000007002}1756C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53069400-D97C-62DF-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000285439Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:13:13.355{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285438Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:13:13.355{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285437Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:13:13.355{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285436Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:13:13.355{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285435Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:13:13.340{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285434Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:13:13.340{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285433Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:13:13.340{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285432Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:13:13.340{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000285431Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:13:13.020{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DB65F8A17B95207FCD546E95D0FD9C4C,SHA256=D06B8893557675C67FA240CE0A70B64F25A728231E709250D61B562FA9DBC713,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285442Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:13:14.554{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A05287CDCCB286B217585C244409758,SHA256=8007D48A12DC876324110FFFA11607625234F38A38DF7BAC94B98494D8936B38,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000055267Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:13:14.513{53069400-F67A-62DF-DE03-000000007002}10163312C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055266Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:13:14.372{53069400-D97E-62DF-2900-000000007002}27802800C:\Windows\system32\conhost.exe{53069400-F67A-62DF-DE03-000000007002}1016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055265Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:13:14.372{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055264Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:13:14.372{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055263Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:13:14.372{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055262Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:13:14.372{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055261Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:13:14.372{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055260Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:13:14.372{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055259Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:13:14.372{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055258Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:13:14.372{53069400-D97C-62DF-0500-000000007002}412540C:\Windows\system32\csrss.exe{53069400-F67A-62DF-DE03-000000007002}1016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000055257Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:13:14.372{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055256Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:13:14.372{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055255Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:13:14.372{53069400-D97D-62DF-1E00-000000007002}19402768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53069400-F67A-62DF-DE03-000000007002}1016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000055254Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:13:14.375{53069400-F67A-62DF-DE03-000000007002}1016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{53069400-D97C-62DF-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000055253Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:13:14.372{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5174859018C660441E65F24D191B1E5E,SHA256=7D3AF0D13BF5C86151CA0841297C1AB8FAE5DDC624B7D6F61B05092C8FAD0AF1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000055295Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:13:15.716{53069400-D97E-62DF-2900-000000007002}27802800C:\Windows\system32\conhost.exe{53069400-F67B-62DF-E003-000000007002}420C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055294Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:13:15.716{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055293Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:13:15.716{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055292Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:13:15.716{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055291Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:13:15.716{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055290Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:13:15.716{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055289Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:13:15.716{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055288Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:13:15.716{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055287Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:13:15.716{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055286Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:13:15.716{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055285Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:13:15.716{53069400-D97C-62DF-0500-000000007002}412540C:\Windows\system32\csrss.exe{53069400-F67B-62DF-E003-000000007002}420C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000055284Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:13:15.716{53069400-D97D-62DF-1E00-000000007002}19402768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53069400-F67B-62DF-E003-000000007002}420C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000055283Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:13:15.716{53069400-F67B-62DF-E003-000000007002}420C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53069400-D97C-62DF-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000055282Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:13:15.513{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD152639FB2227A3B506DE895CBF7A59,SHA256=607EFEC5746EB482EC8EF0D18FC5F65B742E5BDC143C8ABB8292A5060ADA2F01,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285443Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:13:15.600{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81CE81FEEAA9D6343A43BD529E0DF4CC,SHA256=8762E7196A68DEAF8263291B5662966D99386FA86D4D1B3F296DE37DEEF6DD10,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000055281Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:13:15.216{53069400-F67B-62DF-DF03-000000007002}25723316C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055280Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:13:15.044{53069400-D97E-62DF-2900-000000007002}27802800C:\Windows\system32\conhost.exe{53069400-F67B-62DF-DF03-000000007002}2572C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055279Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:13:15.044{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055278Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:13:15.044{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055277Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:13:15.044{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055276Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:13:15.044{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055275Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:13:15.044{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055274Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:13:15.044{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055273Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:13:15.044{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055272Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:13:15.044{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055271Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:13:15.044{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055270Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:13:15.044{53069400-D97C-62DF-0500-000000007002}4121248C:\Windows\system32\csrss.exe{53069400-F67B-62DF-DF03-000000007002}2572C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000055269Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:13:15.044{53069400-D97D-62DF-1E00-000000007002}19402768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53069400-F67B-62DF-DF03-000000007002}2572C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000055268Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:13:15.044{53069400-F67B-62DF-DF03-000000007002}2572C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53069400-D97C-62DF-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000055298Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:13:16.841{53069400-D97D-62DF-1E00-000000007002}1940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=26479C7AA2CC11AEA05ADCAB96BD6D2C,SHA256=E7B7224A1B39DCF1030363EEB41325476F42419EAFAE0470A11F9F8FA4DEEBC1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055297Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:13:16.763{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02853ED649F24D70034E336DC8A0B672,SHA256=31CA2B9909D1DD40E4731CB94F5EA58168E7783A2CC6E03C1FBFBAC1D9BA163D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285444Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:13:16.636{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA65B385914585EBB1FF305614FCC7CA,SHA256=156B796CD8E7075DC33D04E043822B6FC40469BD59BB008D7FE1E6E94257B952,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000055296Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:13:14.271{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal51161-false10.0.1.12-8000- 23542300x800000000000000055299Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:13:17.856{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71AF28332E73822CCE4C0A27349EE5F9,SHA256=AA1E51F404BD7BEA0D9F711764BB460C69CA2E09A12CE387A68C84A8C2C282C4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000285455Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:13:17.968{F81F30E6-DAB4-62DF-BF00-000000006F02}24643744C:\Program Files\Mozilla Firefox\firefox.exe{F81F30E6-EEA4-62DF-BF03-000000006F02}6544C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+267f0|C:\Program Files\Mozilla Firefox\xul.dll+e65274|C:\Program Files\Mozilla Firefox\xul.dll+e65767|C:\Program Files\Mozilla Firefox\xul.dll+85d545|C:\Program Files\Mozilla Firefox\xul.dll+8514da|C:\Program Files\Mozilla Firefox\xul.dll+1a006b3|C:\Program Files\Mozilla Firefox\xul.dll+17686da|C:\Program Files\Mozilla Firefox\xul.dll+1a277f4|C:\Program Files\Mozilla Firefox\xul.dll+9d832f|C:\Program Files\Mozilla Firefox\xul.dll+1f89e|C:\Program Files\Mozilla Firefox\xul.dll+186308|C:\Program Files\Mozilla Firefox\xul.dll+1852af|C:\Program Files\Mozilla Firefox\xul.dll+4446001|C:\Program Files\Mozilla Firefox\xul.dll+44b10b2|C:\Program Files\Mozilla Firefox\xul.dll+44b1edc|C:\Program Files\Mozilla Firefox\xul.dll+1f2e2a3|C:\Program Files\Mozilla Firefox\firefox.exe+19b7e|C:\Program Files\Mozilla Firefox\firefox.exe+27a48|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285454Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:13:17.921{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-DA3F-62DF-B800-000000006F02}4908C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285453Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:13:17.921{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-DA3F-62DF-B800-000000006F02}4908C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285452Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:13:17.921{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-DA3F-62DF-B800-000000006F02}4908C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285451Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:13:17.921{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-DA3F-62DF-B800-000000006F02}4908C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285450Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:13:17.899{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DA3F-62DF-B800-000000006F02}4908C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285449Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:13:17.899{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DA3F-62DF-B800-000000006F02}4908C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285448Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:13:17.899{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DA3F-62DF-B800-000000006F02}4908C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285447Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:13:17.899{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DA3F-62DF-B800-000000006F02}4908C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000285446Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:13:17.667{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43523023BF232BF1019C88A0F1B33545,SHA256=1A32D11E18EAB73EA5FD578F507170D8476459A530DD2DD13C0EEEFC5796CF38,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000285445Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:13:17.482{F81F30E6-DAB4-62DF-BF00-000000006F02}24643744C:\Program Files\Mozilla Firefox\firefox.exe{F81F30E6-EEA4-62DF-BF03-000000006F02}6544C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+267f0|C:\Program Files\Mozilla Firefox\xul.dll+e65274|C:\Program Files\Mozilla Firefox\xul.dll+e65b59|C:\Program Files\Mozilla Firefox\xul.dll+e65e38|C:\Program Files\Mozilla Firefox\xul.dll+11f018b|C:\Program Files\Mozilla Firefox\xul.dll+e627c7|C:\Program Files\Mozilla Firefox\xul.dll+120a85d|C:\Program Files\Mozilla Firefox\xul.dll+ceede|C:\Program Files\Mozilla Firefox\xul.dll+c395d4|C:\Program Files\Mozilla Firefox\xul.dll+c3930b|C:\Program Files\Mozilla Firefox\xul.dll+1871229|C:\Program Files\Mozilla Firefox\xul.dll+183f230|C:\Program Files\Mozilla Firefox\xul.dll+1c23afe|C:\Program Files\Mozilla Firefox\xul.dll+1d7f4a3|C:\Program Files\Mozilla Firefox\xul.dll+183f6cf|C:\Program Files\Mozilla Firefox\xul.dll+1c23afe|C:\Program Files\Mozilla Firefox\xul.dll+1d7f4a3|C:\Program Files\Mozilla Firefox\xul.dll+183ce1d|C:\Program Files\Mozilla Firefox\xul.dll+1907bb7|C:\Program Files\Mozilla Firefox\xul.dll+1ae0b0f|C:\Program Files\Mozilla Firefox\xul.dll+1ad8cb3|C:\Program Files\Mozilla Firefox\xul.dll+18163f3 23542300x800000000000000055301Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:13:18.950{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4744BD2C78206830280CEDEB0B07A693,SHA256=82C17927A0F18D3B19BAB1ECB219FB550D64F263695566104A9E6F8F3D9740B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285456Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:13:18.798{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2BBFDEC026F4116BFF0D747216C8D30F,SHA256=DF6EEC95AFB4648B31A0A144455A3C1F97D464219AC56BC1C9D2D9BA69BFA822,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000055300Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:13:16.270{53069400-D97D-62DF-1100-000000007002}980C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruetruefe80:0:0:0:38f0:1ac3:f5ff:fef0win-host-ctus-attack-range-459546dhcpv6-clienttrueff02:0:0:0:0:0:1:2-547dhcpv6-server 23542300x8000000000000000285458Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:13:19.850{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08DAAA30593560DAA0496154FB389322,SHA256=4B7B276D04C7DEBBB8439DF3DFC63E9DF77025E30CF3713B2F97D238FDC26C95,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000285457Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:13:16.164{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local65123-false10.0.1.12-8000- 23542300x8000000000000000285459Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:13:20.996{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF434B941C6705F780E0406203F23445,SHA256=5F2EA95D110BA017CFCC6751DE330E83D1B95917950E22A11C8B2F8FD8ACBFA6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055302Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:13:20.044{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5ED4626A63A0B754546A7A37F10BBCA0,SHA256=172B60B50640813E3176A3951B8B08BD827BCC2E499C87DBC12C54C251280BE6,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000055304Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:13:20.208{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal51162-false10.0.1.12-8000- 23542300x800000000000000055303Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:13:21.138{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B05C48CB1C6AEBC3B3146EDA985350B,SHA256=A25DF49587BE247435535D8DEF9909D85DFF56968D55BED5470E46C690F3C5A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055305Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:13:22.231{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1574CD33ACCE4148ED78D00C1B2A538B,SHA256=27E772A7A9F1793684AB1A6AF3443FDA7A6C394CACB08FCB30ACADA79A083C3E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285460Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:13:22.032{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DECAF56EF9D5F3AD4ACFBC53F8EE4FA9,SHA256=871742919836F7F86A975FFB1291E31994E9C87BA9DEA3993F5A970A65260271,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055306Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:13:23.325{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE223351C4C4C87C233F951E1287C931,SHA256=7C180E5AFE834379279603645B38FD32267C050E8A833884A718F62249033869,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285461Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:13:23.078{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B37293ED01444FD21AB05306E91E2343,SHA256=E4B18EF493F292722A349E1B70F2B6C38C2DD625E5021F37C18B4BE49B062524,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055307Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:13:24.419{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2BA4FE5F61F7DBCF76A1FD2508017D98,SHA256=20B53224A209EBE797793EC3D1F81E99E13748D2E292788FCDE282BCB73CDD70,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000285463Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:13:21.260{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local65124-false10.0.1.12-8000- 23542300x8000000000000000285462Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:13:24.110{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1CA256745C03F9CE665D1EFF98620C2,SHA256=E65D174A96FFF0AEA918F54EEF9C75A58172F369C91792AB7827CCDF14752923,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055308Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:13:25.513{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D985CC7D4A89191D217E156E749ADC8D,SHA256=9A8DCE1CC3A2725C8737694CB5E6D3CEABF50571283059CDF4AF5584C8CE49DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285464Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:13:25.160{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=038345AA76A57975AC70D75FD2E73656,SHA256=BF7B02CBB5929EAAA938B0A332FA2F4D66DDF8C686FB634D3924D7F9EAEE306F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000055310Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:13:25.273{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal51163-false10.0.1.12-8000- 23542300x800000000000000055309Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:13:26.606{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C236849657D46E4AA854366A7766EDC,SHA256=E1116D68B63ECE379229A12FB5666CEB6ABAFD0DF97427812313F392CC5769AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285465Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:13:26.207{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A31661F277F2626AC7A79076003E77C,SHA256=F008B01AEB1ABDBE2113622E28888763EF96F466EFB2EFBCD40956BE46883861,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055311Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:13:27.700{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5EA9BACB88270F0EEE36122E3BD6B86,SHA256=08E181CF4A56F4F26A06BD4BE344DB8088785649EC02CA05861E11473BB2F772,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285466Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:13:27.373{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5BAA1498E1FDDDFA24003014B25D61BB,SHA256=84684F3EF239CD7937BF42FA035737D420D7834E1110661E57896DCFE09EDA9A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055312Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:13:28.794{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C7A8B80366EC43293C586E516421E52,SHA256=95B8C9261DFC1102C90041783535918FCDCB451085B1F09ED60E83431F96AC64,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285467Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:13:28.425{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C907FBB26B168B676F8AFF98368AB567,SHA256=A5C763A848A6D4D61E8961172A2ACF2F83638800A11CA1ED73ED8C9FB3C1F53C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055313Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:13:29.888{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7A631357433571FEB478D9392222EE1,SHA256=DB8BEF0C4C63D26A91D73EE7F098CF10E3A5A0357FD55EEE6F961F90A5D6ED7B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285468Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:13:29.455{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=246D68AD9F7BA74D3F29CAF19C8451EF,SHA256=34C8D16FCAA20B9BC2239AC715E78111B9605DAFA3E98D3AFF7A6BC291037AA2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055314Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:13:30.981{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC91C73CCB16904203F4E6C597682FB5,SHA256=3565648EFC732E61B4923ABBFD935993F8BE51431EBA8D216A9E3EBA569000A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285470Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:13:30.486{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95124FCC34B6791C4B607F83471A461B,SHA256=2110DB36C19BCAF6C25DBF6BF5C1102A1598C1870530FF08DF5F4F4524B8444F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000285469Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:13:27.085{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local65125-false10.0.1.12-8000- 23542300x8000000000000000285472Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:13:31.538{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CCFA0563473642A5BCDBC569AA5C03B,SHA256=D4D196F63C1743AD91A3156F3D85DCB8D4F6EBA6AE375180AA06A1D2A9777246,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285471Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:13:31.123{F81F30E6-D98A-62DF-2E00-000000006F02}2780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=3F99311E454FDA46C4509B3F75D4AE12,SHA256=8125888619FA264E52DD4B119D2C364D378813C67E57FCF06E740BF9BAF6FE37,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000285490Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:13:32.805{F81F30E6-D98B-62DF-3600-000000006F02}31323152C:\Windows\system32\conhost.exe{F81F30E6-F68C-62DF-4406-000000006F02}13896C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285489Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:13:32.803{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285488Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:13:32.803{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285487Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:13:32.803{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285486Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:13:32.802{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285485Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:13:32.802{F81F30E6-D97A-62DF-0500-000000006F02}412540C:\Windows\system32\csrss.exe{F81F30E6-F68C-62DF-4406-000000006F02}13896C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000285484Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:13:32.802{F81F30E6-D98A-62DF-2E00-000000006F02}27803956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F81F30E6-F68C-62DF-4406-000000006F02}13896C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000285483Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:13:32.801{F81F30E6-F68C-62DF-4406-000000006F02}13896C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F81F30E6-D97A-62DF-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000285482Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:13:32.653{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B70BBD8D07CA7095386770D94339B965,SHA256=D6F82DD6DACCEF7790AB11B1CEBDD032712F4E9E7621ADDC5260E08E2ABA02C1,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000055316Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:13:31.224{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal51164-false10.0.1.12-8000- 23542300x800000000000000055315Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:13:32.075{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0A181350F05D3AE28DFD397436A5B0D,SHA256=4AFC02D6F82C511661127A97DC5E5473A36843C91C87797C2E12F28DF9AC0D2D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000285481Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:13:32.369{F81F30E6-F68C-62DF-4306-000000006F02}1386013864C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285480Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:13:32.122{F81F30E6-D98B-62DF-3600-000000006F02}31323152C:\Windows\system32\conhost.exe{F81F30E6-F68C-62DF-4306-000000006F02}13860C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285479Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:13:32.122{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285478Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:13:32.122{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285477Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:13:32.122{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285476Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:13:32.122{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285475Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:13:32.122{F81F30E6-D97A-62DF-0500-000000006F02}412540C:\Windows\system32\csrss.exe{F81F30E6-F68C-62DF-4306-000000006F02}13860C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000285474Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:13:32.122{F81F30E6-D98A-62DF-2E00-000000006F02}27803956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F81F30E6-F68C-62DF-4306-000000006F02}13860C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000285473Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:13:32.123{F81F30E6-F68C-62DF-4306-000000006F02}13860C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{F81F30E6-D97A-62DF-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000285509Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:13:33.972{F81F30E6-D98B-62DF-3600-000000006F02}31323152C:\Windows\system32\conhost.exe{F81F30E6-F68D-62DF-4606-000000006F02}13964C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285508Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:13:33.972{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285507Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:13:33.972{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285506Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:13:33.972{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285505Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:13:33.972{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285504Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:13:33.972{F81F30E6-D97A-62DF-0500-000000006F02}412540C:\Windows\system32\csrss.exe{F81F30E6-F68D-62DF-4606-000000006F02}13964C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000285503Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:13:33.972{F81F30E6-D98A-62DF-2E00-000000006F02}27803956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F81F30E6-F68D-62DF-4606-000000006F02}13964C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000285502Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:13:33.973{F81F30E6-F68D-62DF-4606-000000006F02}13964C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F81F30E6-D97A-62DF-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000285501Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:13:33.707{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=286BAF66E05545BCCA92437E509DFFD7,SHA256=C086CA938FC074CE64609D58409A930B6E6CCD2D5BE188F3CA8937D08B0CBB30,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055317Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:13:33.169{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19BA5217E5691DD5795B8B9021FD61DC,SHA256=65466A47962DE7A9838E69A4392D26EBCDD9F0EE0635125C71BAD46EB07CDA02,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000285500Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:13:33.468{F81F30E6-D98B-62DF-3600-000000006F02}31323152C:\Windows\system32\conhost.exe{F81F30E6-F68D-62DF-4506-000000006F02}13932C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285499Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:13:33.468{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285498Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:13:33.468{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285497Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:13:33.468{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285496Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:13:33.468{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285495Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:13:33.468{F81F30E6-D97A-62DF-0500-000000006F02}412428C:\Windows\system32\csrss.exe{F81F30E6-F68D-62DF-4506-000000006F02}13932C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000285494Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:13:33.468{F81F30E6-D98A-62DF-2E00-000000006F02}27803956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F81F30E6-F68D-62DF-4506-000000006F02}13932C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000285493Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:13:33.469{F81F30E6-F68D-62DF-4506-000000006F02}13932C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F81F30E6-D97A-62DF-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000285492Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:13:33.237{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=37DF986ACCB7C34A032EACA374B82D0B,SHA256=945C8CE5495DC95A22180BE26182E5AC5F26565DE8C857026F5EFCA25286728F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000285491Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:13:33.022{F81F30E6-F68C-62DF-4406-000000006F02}1389613900C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000285520Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:13:34.888{F81F30E6-D97C-62DF-1000-000000006F02}448NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=BF48FF76280A60EB3DAEC0C9A0BF53C3,SHA256=71692778E7E978F7F27534F563408FF3F3A5157D7E9C27D08D3A7E06A176EA8A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000285519Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:13:34.856{F81F30E6-F68E-62DF-4706-000000006F02}1399614000C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000285518Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:13:34.842{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD5373C1C8919098ED555654E0DE542C,SHA256=D16F3864BFEED8098DF703956F4426882A75B56151545427630F1E848AA87146,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055319Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:13:34.263{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A7D9F3C77939067FA193A196150FC41,SHA256=2118183F69A897CD77D685622885ECD2E3BA542D6781159D5A4084F5576C268F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000285517Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:13:34.640{F81F30E6-D98B-62DF-3600-000000006F02}31323152C:\Windows\system32\conhost.exe{F81F30E6-F68E-62DF-4706-000000006F02}13996C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285516Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:13:34.640{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285515Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:13:34.640{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285514Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:13:34.640{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285513Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:13:34.640{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285512Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:13:34.640{F81F30E6-D97A-62DF-0500-000000006F02}41292C:\Windows\system32\csrss.exe{F81F30E6-F68E-62DF-4706-000000006F02}13996C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000285511Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:13:34.640{F81F30E6-D98A-62DF-2E00-000000006F02}27803956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F81F30E6-F68E-62DF-4706-000000006F02}13996C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000285510Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:13:34.641{F81F30E6-F68E-62DF-4706-000000006F02}13996C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F81F30E6-D97A-62DF-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000055318Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:13:34.122{53069400-D97D-62DF-1100-000000007002}980NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=E61A3FAA3C23C344C44920CADF05829A,SHA256=B333D8C1C4DD2200AE5DDC2A4DADD28E694B9611CEF49604375D343CF373A386,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000285539Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:13:35.986{F81F30E6-D98B-62DF-3600-000000006F02}31323152C:\Windows\system32\conhost.exe{F81F30E6-F68F-62DF-4906-000000006F02}14072C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285538Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:13:35.986{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285537Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:13:35.986{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285536Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:13:35.986{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285535Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:13:35.986{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285534Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:13:35.986{F81F30E6-D97A-62DF-0500-000000006F02}412428C:\Windows\system32\csrss.exe{F81F30E6-F68F-62DF-4906-000000006F02}14072C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000285533Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:13:35.986{F81F30E6-D98A-62DF-2E00-000000006F02}27803956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F81F30E6-F68F-62DF-4906-000000006F02}14072C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000285532Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:13:35.987{F81F30E6-F68F-62DF-4906-000000006F02}14072C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F81F30E6-D97A-62DF-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000285531Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:13:35.871{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF0892822DAFC580D54454A61BFDC19F,SHA256=64685318EF409188F21DD543D03507147332AFFF740D752269DA5B56A4079BD8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055320Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:13:35.356{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6FB94FADF1891CCADAC100C969E1A630,SHA256=368BD1C26BA43E5DC76CBF3A4D7FF66C8B3632266868778E3E1CA170EFD7E331,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000285530Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:13:35.540{F81F30E6-F68F-62DF-4806-000000006F02}1403214036C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000285529Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:13:32.181{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local65126-false10.0.1.12-8000- 10341000x8000000000000000285528Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:13:35.322{F81F30E6-D98B-62DF-3600-000000006F02}31323152C:\Windows\system32\conhost.exe{F81F30E6-F68F-62DF-4806-000000006F02}14032C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285527Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:13:35.321{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285526Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:13:35.321{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285525Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:13:35.320{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285524Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:13:35.320{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285523Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:13:35.320{F81F30E6-D97A-62DF-0500-000000006F02}41292C:\Windows\system32\csrss.exe{F81F30E6-F68F-62DF-4806-000000006F02}14032C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000285522Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:13:35.320{F81F30E6-D98A-62DF-2E00-000000006F02}27803956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F81F30E6-F68F-62DF-4806-000000006F02}14032C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000285521Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:13:35.319{F81F30E6-F68F-62DF-4806-000000006F02}14032C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F81F30E6-D97A-62DF-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000285540Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:13:36.901{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44288C2F2F06C1A7AF1CA2A2638221BE,SHA256=405D16E85655817E36EC2476F3A382E34F506DBF5339C9F39933E1C655F03B99,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055321Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:13:36.450{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CBA3E17B51AA3A13CAAF5B9D8562D24E,SHA256=630F428675F76116883951C0CBEB496DFD4DA02572B0BBCF7F35BF26DFC14BC3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285549Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:13:37.919{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C401BB0B10E6532921DE51C90E759E2E,SHA256=1BB6F3B6F1A5DA6BA544B2615313203364FB299BF9A81791E2C11EFAB9871BEC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055322Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:13:37.544{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EEACE939502064E05EFAF13CAE9386EB,SHA256=92D292C88F54599577EB80572A67C44CC725E36957A634FFF90113F56473717C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000285548Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:13:37.438{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285547Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:13:37.438{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285546Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:13:37.438{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285545Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:13:37.438{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285544Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:13:37.422{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285543Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:13:37.422{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285542Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:13:37.422{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285541Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:13:37.422{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000055323Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:13:38.638{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7C7C1F8F7E57EAA2F0173BB630AE1F7,SHA256=D8DC723D831FCC2670FD4252E04C4CC7F792BAFADAAFB6BE274DE531C0E23869,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055326Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:13:39.736{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A73B075D6C042CE397CCCD6FAD22791D,SHA256=38EA2DBEFFDB830F9A35794A165187A7B30B2E5182DB0353985782F5F5EC0060,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285550Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:13:39.038{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13A465903D84F85E2DEC718213CC9836,SHA256=4BA97202C66D3DDD87FB5234AAAA5755F7FB975FD50F5F182FF7BEB4785B7F1B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055325Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:13:39.439{53069400-D97D-62DF-1C00-000000007002}1896NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0923b0b66bc46ec04\channels\health\respondent-20220726120936-120MD5=F10909D358012860607A88999540BE61,SHA256=618099B8C52552D13629F748BAC7127C20F9D45615160D64360388A771E36D7B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000055324Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:13:37.177{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal51165-false10.0.1.12-8000- 23542300x800000000000000055328Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:13:40.829{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03024396A7D34FE00C1F11268802A499,SHA256=5D433123E7C3F0F28EA153EDDD396A8BCAAC505EE71F4F222AD9EAF3F77EDCAA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000285552Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:13:38.196{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local65127-false10.0.1.12-8000- 23542300x8000000000000000285551Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:13:40.067{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E6467580BD2BAB811BD4D47E17EE740,SHA256=DC122D593E010784F2C349EE1DF3ECB17393CBF256AE0A963C3E36EA3D6262B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055327Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:13:40.439{53069400-D97D-62DF-1C00-000000007002}1896NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0923b0b66bc46ec04\channels\health\surveyor-20220726120934-121MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055329Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:13:41.924{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6BEB1ADE05E8F3DABDE0EE97AD6E6709,SHA256=2B410E795A4992CAC915283495E1F12B23AB45092785BFC2E12C852B2BD27627,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285553Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:13:41.114{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5DE2D30258B009A86A7AEC4C474C9E7D,SHA256=1E375B90E5273325FE5DCF49898538BA3EE41E47DAEEFE3DBD2D7FA7A57FF8FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285554Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:13:42.165{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29623D5856DEFE8254E57AB730470B4D,SHA256=A761CB6E2E34B37B35AF13B73BD5BF077119F509EA4F72129D88C2D29DC2C9D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055330Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:13:43.017{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6084DA18334EE7C06976AEA9DB159E19,SHA256=06DAEBD3A8DB31DDF0CD03E94A477893953693A9939911987989198401A3C157,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285555Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:13:43.312{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8582E25EA82317591E108A2E9B093944,SHA256=B6F356BA29F5A5C1860D380D0D7698D51D04F69CAB1F046F7F1693755F0AD243,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285556Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:13:44.434{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3844BC2FE50EE3CE1AFA9F13D79FC387,SHA256=146D3EFED6CA42AF556ED19ACB33DF36FF563B4FA5545A01A168D1406D7D3C74,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000055332Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:13:42.228{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal51166-false10.0.1.12-8000- 23542300x800000000000000055331Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:13:44.111{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E7FD43CAD74E8CB6545FC3DBE93D5E2,SHA256=07C056EA1AC1F19B0B59940ECA9A43ACB5907E0EB95EBD018D1D4FDC5E0C0829,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285557Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:13:45.481{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE0C2FF6123FDBB2E90D685BE1666CCE,SHA256=1CA885B82C1FA8B41BD2217D3F56EDC52407F581A7902BC50E131D735376A547,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055333Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:13:45.205{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE85205D5621EFA6046B71B887F18BFD,SHA256=10945F21AC04A0C74E6CAC6DB50419A06F814E263CC61C7EDD4EB272E148B6F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285558Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:13:46.513{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4DA5A164BBFD42D19C3DBFE035D51EF,SHA256=63E21D53CB3E62094BCB14A6A082183A9E83C8608D06140EDC482DB6E4BBB14D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055335Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:13:46.299{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15FE0DCC253F6E8D06C692769DDFAC94,SHA256=B567426F9282DBF50A824873028C6A386904233B397FCC70D128747F72C94B8D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055334Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:13:46.267{53069400-D97D-62DF-1E00-000000007002}1940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=179B82772CA5CC0B7A1E30B10EC3DA68,SHA256=BB39CA45713EEF29F8964A50A9025571F90083A2F6169622A7CAAB4EAC5409CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285560Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:13:47.647{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2DA7016D33E0E70E43654D10FF7D0B6,SHA256=E735ACF17F94B40A0D2E9B9630627E267FCBAD30B93303BCE267F3016AF634C0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000285559Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:13:44.178{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local65128-false10.0.1.12-8000- 354300x800000000000000055338Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:13:46.322{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal51167-false10.0.1.12-8089- 23542300x800000000000000055337Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:13:47.283{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA2B5D24EFCEC9DC9A25084C7958E8ED,SHA256=1D68A749CA73AFEFB10D8A1F1193D772A36F2D82CB6A47D80EC39AFB8B277A3E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055336Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:13:47.049{53069400-D97D-62DF-1E00-000000007002}1940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=4E092743E75CA480EC1296C6B4B9B238,SHA256=13FA7215709409B0C629BEE7379CC97426F1BDDBE73B6B6F37DA115E574C4D86,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285561Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:13:48.647{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66F57A5EB8B52540DD18AF91E9ADCA48,SHA256=559E8F8CFFA264684BF8E49919A26540F130BDF3AFD6A236EFB97D5041CF8386,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055339Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:13:48.377{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E11551218C76624270F9A80E2321E862,SHA256=327D42ECB553E51D884FBCF4B06017B382EFFC4EFFA3C4AE7DDF19E5DD5DF9E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285564Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:13:49.693{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=910BCDBC96E930564814643EA732CE5F,SHA256=BCD6575AC9CE2CD37313C638542C519CC953DE2AF63A5D2F716DD98A527B980A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055341Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:13:49.470{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E091ACE46F1D1207F1846050AE9DA604,SHA256=7802CB23E1425D35B3F4EC01D83F864F4EDE76899386F9AF87CC767F2DE220B7,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000055340Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:13:48.182{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal51168-false10.0.1.12-8000- 23542300x8000000000000000285563Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:13:49.247{F81F30E6-D98A-62DF-2E00-000000006F02}2780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=375770933B088FA1013E9C17F7ACFA9C,SHA256=12DC730ED0C3CEF15E2072F184E79ED116E6C7FEA32581084F03B1ADA228E22B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285562Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:13:49.063{F81F30E6-DAB4-62DF-BF00-000000006F02}2464ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\e57grxtg.default-release\datareporting\glean\db\data.safe.binMD5=FA60F12DD72E7AF6297AFFDF083F1F2F,SHA256=CF8F686EA6CC1AA4855E733067F2897B2E84A73F8BFD06F9CCCB9D36E0D5062F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285566Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:13:50.812{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3DD263271657D1A0999D531B4DBEE61E,SHA256=A9EEE86B4CD1C4678C5D29C96B0EE717B3724ABFDF3671E38F1694D621FD284F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055342Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:13:50.564{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=401EC96237D231B97DBF6F84FEAA5ADB,SHA256=18EBE0D10ECB741298AE0640649B593B6478DB739734A89614C396306223EBE4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000285565Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:13:48.276{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local65129-false10.0.1.12-8089- 23542300x8000000000000000285567Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:13:51.946{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=370918D35C4B1102B1B2931050F00227,SHA256=1F4A4091D57E8EF93260D70D925D7AF6659788FF7EB98D0A26F182E631D2D13F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055343Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:13:51.658{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=151AE31C12F7E684E6E3F95ED7703434,SHA256=7FD69DCE86723BABE516DF3DCA7CE417A832C4DC4F3E5C028ABB55BBAF21F001,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285568Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:13:52.992{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1FBC2006C804C8DE575DD50CA4359A53,SHA256=ED4BDBC2ABD6FEA9F3ABCC83E606F4C08F43F84E4FC5448656C3A86D70FB43E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055344Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:13:52.752{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BCC9845DD04987BC9D1D6DD3DCB359B0,SHA256=923752837BB68F120E2DA44294138F24D9A8F9B7A157EE969D3B6FFA8C8DD4A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055345Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:13:53.845{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A9F94DE7F9007DFEF8740EE1AFF7A2F,SHA256=77978205C461954187B235BBD4E578BC297DD6EA4B9D592EBB97F3A8456B0F50,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285570Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:13:53.893{F81F30E6-D98A-62DF-2900-000000006F02}2592NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f0cc84e036a5373b\channels\health\respondent-20220726120948-120MD5=369DD308E953FB115558C25A87FA7436,SHA256=F8D888C61BEF90997E9DA9024DED7AC04FA2757575784335A529296D09245F18,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000285569Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:13:50.176{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local65130-false10.0.1.12-8000- 23542300x800000000000000055347Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:13:54.939{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A741FD604CF5CECBCD7234ECBE714AF7,SHA256=AE9AE4684E472F109C8E9AD8CC3D1EE59316C6D32642041FA0EF8FC38AF2703A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000055346Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:13:53.182{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal51169-false10.0.1.12-8000- 23542300x8000000000000000285572Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:13:54.908{F81F30E6-D98A-62DF-2900-000000006F02}2592NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f0cc84e036a5373b\channels\health\surveyor-20220726120946-121MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285571Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:13:54.076{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE1716C16BE1DD2F700422BB7734898A,SHA256=27936A7E734B0B26787E2569936CCE9B8B0565F790923BF69730666D13D52560,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285573Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:13:55.108{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F92560D0FADF192CE4AA3E06B862150,SHA256=3CCD9A2A641B8B3288F342F631095CBE84E975465ABB4B799DE5E3FBF01BCF92,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055348Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:13:56.033{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA50D6221461BA88CE6FB6407B213C04,SHA256=516380CE93CDC6EEE4A7D5C82FF76F7794F988C0009A044149D38D8F22D1E5EE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000285579Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:13:56.474{F81F30E6-D9BD-62DF-9000-000000006F02}46884812C:\Windows\Explorer.EXE{F81F30E6-DAB4-62DF-BF00-000000006F02}2464C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+cf100|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9824|UNKNOWN(FFFFF80163E5BCD8)|UNKNOWN(FFFFF2A666167E08)|UNKNOWN(FFFFF2A666167F87)|UNKNOWN(FFFFF2A666162611)|UNKNOWN(FFFFF2A666163FDA)|UNKNOWN(FFFFF2A666162296)|UNKNOWN(FFFFF80163B71503)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+d296b|C:\Windows\System32\SHELL32.dll+11971a|C:\Windows\System32\SHCORE.dll+33fbd 10341000x8000000000000000285578Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:13:56.474{F81F30E6-D9BD-62DF-9000-000000006F02}46884812C:\Windows\Explorer.EXE{F81F30E6-DAB4-62DF-BF00-000000006F02}2464C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0f5|C:\Windows\System32\SHELL32.dll+cebe1|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9824|UNKNOWN(FFFFF80163E5BCD8)|UNKNOWN(FFFFF2A666167E08)|UNKNOWN(FFFFF2A666167F87)|UNKNOWN(FFFFF2A666162611)|UNKNOWN(FFFFF2A666163FDA)|UNKNOWN(FFFFF2A666162296)|UNKNOWN(FFFFF80163B71503)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+d296b|C:\Windows\System32\SHELL32.dll+11971a|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000285577Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:13:56.474{F81F30E6-DAB4-62DF-BF00-000000006F02}2464ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RF71f4ba.TMPMD5=916C2D93B58C5CBAC8AC3098A059BFC5,SHA256=55953AB8F4BC753693EBC3ACF5A7C00D704055829032829763C3617710DD9C9E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000285576Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:13:56.274{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285575Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:13:56.274{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000285574Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:13:56.143{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66B407D5C0C66CB9B354011CE63DBA85,SHA256=E1927B5CB8DDC392C2A496D6C1B04DE9B2B91ECB07A06E17070B07B20D6CD1B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055349Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:13:57.127{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05E9E5CA4E4887B8AA483D797E5A5162,SHA256=B5C25C6D16793177E9134B9E9EF72C86CDC2667BB2D7EB2409D659C8A912F505,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000285581Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:13:57.442{F81F30E6-D97C-62DF-0D00-000000006F02}9123628C:\Windows\system32\svchost.exe{F81F30E6-DAB4-62DF-BF00-000000006F02}2464C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000285580Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:13:57.189{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6174CC78A2C7A2A566C71A6266858F7,SHA256=D4E83539B039E07AF40FF59EE8DC98C428D9640BD67149798CC44B94EB063B6E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055350Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:13:58.220{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43A0BC6594F270C9D08B53F7D874E537,SHA256=7FCD55A8FC9B14D405663F65AAA7F8C7DC0CDBD4BDD8AFE008CEA3FC261F1606,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000285583Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:13:56.171{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local65131-false10.0.1.12-8000- 23542300x8000000000000000285582Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:13:58.225{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE6162CA0AB79C8443AC79A4FEA1A3ED,SHA256=974D4BAC25FAE5D0653D25CD7F73E3A837EA3BE30F37A390B33F9E25A3E97AA8,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000055352Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:13:58.229{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal51170-false10.0.1.12-8000- 23542300x800000000000000055351Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:13:59.314{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4B7B780AFC759CCE851CBCDC826E069,SHA256=A17055701B1F8967922E272C646346C5329B5CC7F45D5D9845D350467D94BA91,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285584Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:13:59.256{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9AB799E79CEDDFF5C89365B904FBAF7,SHA256=6E1CC0D2E17418A86005F91C0152759010EDABBAAC00E1BD5283997FC190CCF1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055353Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:14:00.408{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5438E8F1D60497636A399B9E3712685,SHA256=48115699CF59E8CD7C07A51BCEAE748EA97B1257019BB59BB94D88F4010BE6ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285586Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:00.524{F81F30E6-DAB4-62DF-BF00-000000006F02}2464ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\e57grxtg.default-release\datareporting\glean\db\data.safe.binMD5=7C48F7A99D37B328C52C9080F6CBF285,SHA256=34A3C18E74236132A0D04EC6FC89119E1BD0ADAE8B2F647403A603A4A81B0E5A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285585Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:00.403{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86BA20B9A2174055A42A01E8D1EAE098,SHA256=BFC1E43284CB32448EFFD331B3182165CE53B8656AAD0DA0EBC342F5A2313B5A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055354Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:14:01.502{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0CF013CFCE3794B0A0239331EF15BFBC,SHA256=68EC7BFE6406E003B53760B74B6B411D30B3940866C63779983EDFB20437DBB1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285588Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:01.523{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD79522DE52C82590498000B9BE0D1C0,SHA256=6CD850E394E09597F3CCEF6DCFDA2144539AD60E537C7E1A8F220AAE593C4ECA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285587Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:01.323{F81F30E6-D98A-62DF-2E00-000000006F02}2780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=C2A344F0DC9C8AE5C3889AC9BB98DDB6,SHA256=9C081EDC324A1F8C96B061F262388FFE065E778644C36197AC42132CB1334366,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055355Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:14:02.595{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B68A3C1E6F8D046470C9D747BD73871,SHA256=AAC3D36DA1C14BA418BAA4C310E969F8B982C197E874707A807137BAD1CA83C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285589Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:02.553{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6CAB7E477915F95AFABE8F51D5D5A171,SHA256=23827C0DA08C21A35CA4936B3A738A1822E443E251E97EC8B4FB7CC781426311,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055356Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:14:03.689{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57DB9A2FD01CA86CA8EA9A5C5038A589,SHA256=563AF03937C37B1185E8B9F2357A6343F0560D352FEFF34F5BA8656051D75D3E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285591Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:03.852{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B200D545B20FF2840B9F9114E27C1CFB,SHA256=268C1C8D79692BF6B16EE6DCC2271538C1DC8B5F003C92080B88B5CBFD9A8E5D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285590Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:03.583{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F02A40F7E732FE7F2261667CF9C52B0F,SHA256=66A0086F12A46F3460129EC15012A6FC28276FF5393BF9527D6D6EEF134E2876,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000285594Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:01.829{F81F30E6-D97A-62DF-0B00-000000006F02}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local65132-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local389ldap 354300x8000000000000000285593Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:01.829{F81F30E6-D98A-62DF-2600-000000006F02}2568C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local65132-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local389ldap 23542300x8000000000000000285592Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:04.635{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CEDF2357BB973404DC4E605D24B3E241,SHA256=AC5829844C33BD3C87D7D60D18D66EFB6BF8DB0FAE80931020EE745E730EC0C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055357Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:14:04.783{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D837B44BBAE095AED9605EF8E5D9CFB3,SHA256=3CBC6D5286346AAEFF8D901E6CD7F73C701A1B03832A2016ECA4AC28C28E1ABA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055358Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:14:05.877{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38F1C20EF7A07704400D72B9A216C32E,SHA256=E110A514278210E0E7F3D691B305DFBC4F2C2A092FB92CB99A446591E6960C7E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000285596Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:02.150{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local65133-false10.0.1.12-8000- 23542300x8000000000000000285595Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:05.734{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32FFE7D0338EAA9847978A50BC35BEE2,SHA256=790BE8C24F8F8B8DE37FA56402C5F8A0C0D8495F9C8BD9055426CA35A307415B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055360Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:14:06.970{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7DC4B415B916B878CE42A0DA7B22900,SHA256=8B40251A230982EDAAB5098C6F464215D7DC1C04CB32F755793A92EB5739096C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285597Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:06.780{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E8E37C8E3146AAC576D3916BC5CB115,SHA256=98DB7CFE30422E6224903F3229DD1B6516E48BB073545D085989F054281E2035,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000055359Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:14:04.213{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal51171-false10.0.1.12-8000- 23542300x8000000000000000285598Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:07.832{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D914B1FEC1431EB338969730EB187A4,SHA256=A067ED183721AAAB1FAB961B786AB2C2DA419851939383158D8B3A0CDBEB712C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285599Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:08.878{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=448FB59E2687F48AD4941D45A585AF1A,SHA256=4EFD8B4F44BB674685B2A931DDE5A89D2125DBEE1CE0D80A8DF659D523DBFBEB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055361Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:14:08.064{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24752A4B9E2CD0A8ADA8996A6DF0BB3C,SHA256=8D0325485BF968365240C75B986733475C265BF06747A9F89813B8BA2CEF4EA3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055362Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:14:09.158{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72643E93E8C7C66E08D170DBF8A227B2,SHA256=4D35A7C3D6D0AB6C082B0D78768EE38B1AA78C2AED1AE61A094B5C565555926F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055363Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:14:10.252{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD93DAD84ED6E186B4927BAE790618B4,SHA256=DA03A40D039DAB8D0F181469D6D4A70930F739D37A61A48FE2D78E2F4AC4B0A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285600Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:10.015{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ABAB7B2426DEB1BE36B3FA666C9746E6,SHA256=D85D99DA144D42D2A1BA6187C6E4455DDBF5C6023B63DE2D0B4C93E0DBA53AC4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055365Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:14:11.345{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36208A3BE52DFEA66384B338B494F24F,SHA256=C0629F656877EEFCF8D9E7B4BA2B62F67183B046C041BF7FC119D0F1C181D471,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285602Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:11.133{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4ECDFADA5C9328F00DBB7F3EF60A4FD,SHA256=2E610506514539F36220F39FB8B6B7CE2D257DC6443E417E6F2F300FF288F564,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000285601Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:08.160{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local65134-false10.0.1.12-8000- 354300x800000000000000055364Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:14:09.213{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal51172-false10.0.1.12-8000- 10341000x800000000000000055394Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:14:12.970{53069400-F6B4-62DF-E203-000000007002}3283532C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055393Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:14:12.736{53069400-D97E-62DF-2900-000000007002}27802800C:\Windows\system32\conhost.exe{53069400-F6B4-62DF-E203-000000007002}328C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055392Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:14:12.736{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055391Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:14:12.736{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055390Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:14:12.736{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055389Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:14:12.736{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055388Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:14:12.736{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055387Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:14:12.736{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055386Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:14:12.736{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055385Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:14:12.736{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055384Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:14:12.736{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055383Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:14:12.736{53069400-D97C-62DF-0500-000000007002}412428C:\Windows\system32\csrss.exe{53069400-F6B4-62DF-E203-000000007002}328C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000055382Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:14:12.736{53069400-D97D-62DF-1E00-000000007002}19402768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53069400-F6B4-62DF-E203-000000007002}328C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000055381Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:14:12.737{53069400-F6B4-62DF-E203-000000007002}328C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53069400-D97C-62DF-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000055380Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:14:12.439{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA290E042FDED470CA354DF72D82A527,SHA256=4E9F87D347C1C8C7EF997900DB8A1EEDCB44DD5CAB270EC1C867C4E471E6CA8C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285603Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:12.178{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1AC32CC51EF89E8CB92655363A4E7FF,SHA256=DD65ED9AE8B566027C9A539C2EB9DA05950A48B4C6114365AD110032C973CE53,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000055379Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:14:12.267{53069400-F6B4-62DF-E103-000000007002}38803928C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055378Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:14:12.095{53069400-D97E-62DF-2900-000000007002}27802800C:\Windows\system32\conhost.exe{53069400-F6B4-62DF-E103-000000007002}3880C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055377Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:14:12.095{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055376Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:14:12.095{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055375Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:14:12.095{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055374Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:14:12.095{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055373Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:14:12.095{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055372Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:14:12.095{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055371Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:14:12.095{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055370Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:14:12.095{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055369Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:14:12.095{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055368Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:14:12.095{53069400-D97C-62DF-0500-000000007002}412428C:\Windows\system32\csrss.exe{53069400-F6B4-62DF-E103-000000007002}3880C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000055367Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:14:12.095{53069400-D97D-62DF-1E00-000000007002}19402768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53069400-F6B4-62DF-E103-000000007002}3880C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000055366Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:14:12.096{53069400-F6B4-62DF-E103-000000007002}3880C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53069400-D97C-62DF-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000055422Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:14:13.908{53069400-D97E-62DF-2900-000000007002}27802800C:\Windows\system32\conhost.exe{53069400-F6B5-62DF-E403-000000007002}3996C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055421Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:14:13.908{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055420Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:14:13.908{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055419Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:14:13.908{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055418Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:14:13.908{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055417Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:14:13.908{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055416Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:14:13.908{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055415Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:14:13.908{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055414Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:14:13.908{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055413Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:14:13.908{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055412Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:14:13.908{53069400-D97C-62DF-0500-000000007002}412428C:\Windows\system32\csrss.exe{53069400-F6B5-62DF-E403-000000007002}3996C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000055411Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:14:13.908{53069400-D97D-62DF-1E00-000000007002}19402768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53069400-F6B5-62DF-E403-000000007002}3996C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000055410Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:14:13.909{53069400-F6B5-62DF-E403-000000007002}3996C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{53069400-D97C-62DF-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000055409Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:14:13.580{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73C72C787732DDA698EF6D2C824FA94D,SHA256=C3753D37727346556F1A12259195CBC91B03361B76BB5AA6A0D7ED5D8BCF56E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285604Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:13.195{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D342883BFDBE146E7DD0FBCC7E8FEA94,SHA256=2B120811B183A074F6CE6B800812EBF2B6342D32CD9F9A1BF83E4DA9CCA24BF2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055408Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:14:13.252{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9032AC16313B0CAF73C7316C5FA2C762,SHA256=04EFC319A517BA1CB920C720EC531EB12BBEFB2EBDF64423120E5D7AE4DA1BF4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000055407Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:14:13.236{53069400-D97E-62DF-2900-000000007002}27802800C:\Windows\system32\conhost.exe{53069400-F6B5-62DF-E303-000000007002}3580C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055406Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:14:13.236{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055405Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:14:13.236{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055404Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:14:13.236{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055403Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:14:13.236{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055402Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:14:13.236{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055401Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:14:13.236{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055400Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:14:13.236{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055399Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:14:13.236{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055398Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:14:13.236{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055397Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:14:13.236{53069400-D97C-62DF-0500-000000007002}4121248C:\Windows\system32\csrss.exe{53069400-F6B5-62DF-E303-000000007002}3580C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000055396Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:14:13.236{53069400-D97D-62DF-1E00-000000007002}19402768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53069400-F6B5-62DF-E303-000000007002}3580C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000055395Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:14:13.237{53069400-F6B5-62DF-E303-000000007002}3580C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53069400-D97C-62DF-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000055437Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:14:14.720{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6EC636570885A64A9DE7ADAA3CBAC6C,SHA256=981D6057B81E003F8190C05F5EC24FEB1A4FEFE62E80E12DF482FD61DB8C5ECB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285605Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:14.329{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=010FFBA21DCD1F42A1927A45BD06DDA0,SHA256=3316BF9B149FECBBA5AA208ACF4295CE8A55938880D571C0746FE5F2D615825D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000055436Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:14:14.580{53069400-D97E-62DF-2900-000000007002}27802800C:\Windows\system32\conhost.exe{53069400-F6B6-62DF-E503-000000007002}3700C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055435Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:14:14.580{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055434Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:14:14.580{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055433Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:14:14.580{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055432Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:14:14.580{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055431Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:14:14.580{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055430Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:14:14.580{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055429Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:14:14.580{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055428Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:14:14.580{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055427Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:14:14.580{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055426Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:14:14.580{53069400-D97C-62DF-0500-000000007002}4121248C:\Windows\system32\csrss.exe{53069400-F6B6-62DF-E503-000000007002}3700C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000055425Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:14:14.580{53069400-D97D-62DF-1E00-000000007002}19402768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53069400-F6B6-62DF-E503-000000007002}3700C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000055424Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:14:14.580{53069400-F6B6-62DF-E503-000000007002}3700C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53069400-D97C-62DF-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000055423Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:14:14.049{53069400-F6B5-62DF-E403-000000007002}39963964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055465Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:14:15.798{53069400-D97E-62DF-2900-000000007002}27802800C:\Windows\system32\conhost.exe{53069400-F6B7-62DF-E703-000000007002}2288C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055464Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:14:15.798{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055463Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:14:15.798{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055462Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:14:15.798{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055461Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:14:15.798{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055460Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:14:15.798{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055459Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:14:15.798{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055458Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:14:15.798{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055457Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:14:15.798{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055456Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:14:15.798{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055455Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:14:15.798{53069400-D97C-62DF-0500-000000007002}412540C:\Windows\system32\csrss.exe{53069400-F6B7-62DF-E703-000000007002}2288C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000055454Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:14:15.798{53069400-D97D-62DF-1E00-000000007002}19402768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53069400-F6B7-62DF-E703-000000007002}2288C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000055453Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:14:15.799{53069400-F6B7-62DF-E703-000000007002}2288C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53069400-D97C-62DF-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000055452Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:14:15.752{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C2DA3B52835F62DF7189C99BA814F6A,SHA256=A94D7D048EF5DF5C4BA810D21DE546B1C899E9FB3242A9A31BE69F774DAC7EC0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285606Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:15.374{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A762978AE9F38007089050485E94824,SHA256=0188E4D6D2430036C058BCC440530F9A637EF37CBAE15CCABDE6EB340400F6BF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000055451Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:14:15.298{53069400-F6B7-62DF-E603-000000007002}892880C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055450Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:14:15.127{53069400-D97E-62DF-2900-000000007002}27802800C:\Windows\system32\conhost.exe{53069400-F6B7-62DF-E603-000000007002}892C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055449Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:14:15.127{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055448Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:14:15.127{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055447Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:14:15.127{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055446Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:14:15.127{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055445Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:14:15.127{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055444Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:14:15.127{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055443Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:14:15.127{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055442Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:14:15.127{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055441Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:14:15.127{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055440Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:14:15.127{53069400-D97C-62DF-0500-000000007002}4121248C:\Windows\system32\csrss.exe{53069400-F6B7-62DF-E603-000000007002}892C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000055439Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:14:15.127{53069400-D97D-62DF-1E00-000000007002}19402768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53069400-F6B7-62DF-E603-000000007002}892C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000055438Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:14:15.127{53069400-F6B7-62DF-E603-000000007002}892C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53069400-D97C-62DF-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000055466Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:14:16.845{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8F4D0A29264F077FFA1A1AED3BED8A9,SHA256=6DC255A95EBB3D6AF7C7F9242D27BACD63D434AD2FDAEE29D3BCD8A54DB7A625,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285607Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:16.512{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CD62AB3DC942A8982D81BA6DE872CAE,SHA256=9E4FEAEF664EDFB01837FAB6685F0C2D4140E41BF580827CD37710F6DB588732,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055469Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:14:17.939{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0EE9B1C8214903736695B5B12B7E62DB,SHA256=CD33328DCE6C739BEF23FD669A80816EFD1AD1862118CE1C5225BB8DD227E860,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285609Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:17.558{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4BAEB955DE266D14FBB0364AE93655F,SHA256=2B5DB15F9DCE4E798757F09C548B712E17B9210E39C115897A371C91E7618D8E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055468Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:14:17.298{53069400-D97D-62DF-1E00-000000007002}1940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=4FB422DD5E51C3F99DA5C17548D33F51,SHA256=90F90D35559034F69E276EC8FFC2F9644195A7D0811BDFBECE37DD479ADFA03E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000055467Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:14:15.150{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal51173-false10.0.1.12-8000- 354300x8000000000000000285608Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:14.173{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local65135-false10.0.1.12-8000- 23542300x8000000000000000285610Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:18.673{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84F3C4246229CF9DE1525BFC14CA6336,SHA256=36C71907DEDEF45053B9D6974B4A46674F28DD68A94A7C398B8891AE9E4BB9E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285619Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:19.778{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C53F4DD40C9E11140580D23F35B78EDC,SHA256=5757FB7169EB6F364B1E615F951A4D805B43D3BCFC0CA19443BBFEF48A46405B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055470Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:14:19.033{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6EE8F48737955A1AC0D451E36F492172,SHA256=4EA77AD8A4E0A82D8A84D23A00AB03E8C66FBA9C556380B78672F32374ABA49D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000285618Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:19.546{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-DA3F-62DF-B800-000000006F02}4908C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285617Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:19.546{F81F30E6-D9BD-62DF-9000-000000006F02}46885772C:\Windows\Explorer.EXE{F81F30E6-DA3F-62DF-B800-000000006F02}4908C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285616Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:19.546{F81F30E6-D9BD-62DF-9000-000000006F02}46885772C:\Windows\Explorer.EXE{F81F30E6-DA3F-62DF-B800-000000006F02}4908C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285615Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:19.546{F81F30E6-D9BD-62DF-9000-000000006F02}46885772C:\Windows\Explorer.EXE{F81F30E6-DA3F-62DF-B800-000000006F02}4908C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285614Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:19.531{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DA3F-62DF-B800-000000006F02}4908C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285613Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:19.531{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DA3F-62DF-B800-000000006F02}4908C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285612Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:19.531{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DA3F-62DF-B800-000000006F02}4908C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285611Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:19.531{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DA3F-62DF-B800-000000006F02}4908C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000285620Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:20.897{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2ECE82100D612BBCE597E46416FA64F8,SHA256=4680DCE01E36ED196A7816940A32376509B5F45556895B1C19DDB415CF7B6D0F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055471Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:14:20.127{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41C4F404F8C8A7786976B2BD2BD5319A,SHA256=7185C7A8BC8F8C8DCE3A2CF3B0386C183CE60BE958FE90FFF9CC9E1B07C51183,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000285629Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:21.977{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285628Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:21.977{F81F30E6-D9BD-62DF-9000-000000006F02}46885772C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285627Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:21.977{F81F30E6-D9BD-62DF-9000-000000006F02}46885772C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285626Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:21.977{F81F30E6-D9BD-62DF-9000-000000006F02}46885772C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285625Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:21.961{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285624Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:21.961{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285623Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:21.961{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285622Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:21.961{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000285621Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:21.946{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9EA59438CA67FA408A51664AA10C4949,SHA256=0A20F1A0E16129B3755EFE0208175C51FC24BA58C108F85FFAA4A26E63204472,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055472Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:14:21.220{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74336C68C4DA923BDA4CF55178262F80,SHA256=FA1A27ACB47187D810AAC4A4E4F34644C26B8DD023AB5AA09746DA9068CE83DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285631Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:22.962{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F49C7827E2C89C77B3D0142B911183B,SHA256=6698783DFCE1C8551D10C31E61DF124546AF94F2EAF79DB18AE6E51CF15F61E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055474Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:14:22.314{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06BE65698F6088DB800DED8E968825B1,SHA256=832B52116F34FDA6D1D59F2E6DC4F4E02AAF8466AD446B7B38F725E864074E3B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000055473Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:14:20.275{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal51174-false10.0.1.12-8000- 354300x8000000000000000285630Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:19.261{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local65136-false10.0.1.12-8000- 23542300x800000000000000055475Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:14:23.627{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=564BB05F73D638BF03FCE8254A116682,SHA256=1C50F9AD8BECE4384B74FB7B1437F1DD736FCA608E71B51A261F38858BBB09D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055476Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:14:24.720{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3AB5A219F8B35A24D52912497413AA51,SHA256=30D30A0B6EF5DF8182E7F2FFAF9E304144BD2C8E497F6FF0AC3F93E503EBB8D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285632Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:24.080{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D065C5A8E213AD03AE1D52B7843FC49,SHA256=F1150F4ECD4D196D2BFD784BEAC9EE50099F15B58DC012BC5EDD1D6570239117,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055477Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:14:25.814{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=659062F20E70681A3897A5DDB633837E,SHA256=98A53C4C8CFCC982BD01A4995AF393034B7DD9FDB3E64814756E8E1009590037,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285633Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:25.132{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9240FF4F509559FD3AEC560971763F4D,SHA256=81A8457449FEF179C5FEE95A03B293863CF8714646E863D7306B65DEC2C2F0F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055478Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:14:26.908{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0EB326254869F78E3DA0906BE23BD86F,SHA256=289C6CD0317F57A871AF80D413B63814D276ABDAEBCFFCEF176319910FE0AAB2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285634Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:26.163{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=450DD0E802A882FC7F363F3B33DB3732,SHA256=DB4CD0C9270E7A43B791FC6BACF36288DC6819D3BA73AE90888E23402A9AA496,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285635Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:27.195{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2BA64C35361676979D0039ACF76B321C,SHA256=89E7CC3F01D0A9C90949B9B0A51796D13E08F854654CFF02A8DE274136E91A95,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000055479Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:14:26.260{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal51175-false10.0.1.12-8000- 23542300x800000000000000055480Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:14:28.002{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB7F5CDCC53B04D486E23B05C97F0083,SHA256=6E34AB6AE4C23E7EEBAB3CF201CD9B42ECE8B8CA7AEB8E5D9959CA82C919A460,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000285639Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:28.715{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285638Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:28.715{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000285637Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:28.330{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2802CB39BBF696FEF0C7A906C1C073C,SHA256=9691E5A1606193DB0E55E908C83FC8ECA8C654AFB9C89C1AA58B3F02808FEB43,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000285636Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:25.077{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local65137-false10.0.1.12-8000- 10341000x8000000000000000285653Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:29.976{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F6C5-62DF-4B06-000000006F02}11968C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285652Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:29.976{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F6C5-62DF-4B06-000000006F02}11968C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285651Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:29.976{F81F30E6-F6C5-62DF-4B06-000000006F02}1196812044C:\Windows\system32\conhost.exe{F81F30E6-F6C5-62DF-4A06-000000006F02}11964C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285650Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:29.960{F81F30E6-D9BA-62DF-8100-000000006F02}38882172C:\Windows\system32\csrss.exe{F81F30E6-F6C5-62DF-4B06-000000006F02}11968C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000285649Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:29.960{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F6C5-62DF-4B06-000000006F02}11968C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285648Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:29.960{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285647Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:29.960{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285646Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:29.960{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285645Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:29.960{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285644Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:29.960{F81F30E6-D9BA-62DF-8100-000000006F02}38884516C:\Windows\system32\csrss.exe{F81F30E6-F6C5-62DF-4A06-000000006F02}11964C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000285643Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:29.960{F81F30E6-F163-62DF-1F04-000000006F02}226411868C:\Temp\dcrat.exe{F81F30E6-F6C5-62DF-4A06-000000006F02}11964C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\System32\windows.storage.dll+16e7eb|C:\Windows\System32\windows.storage.dll+16e501|C:\Windows\System32\windows.storage.dll+16e14e|C:\Windows\System32\windows.storage.dll+16f3f0|C:\Windows\System32\windows.storage.dll+16de9e|C:\Windows\System32\windows.storage.dll+fce6d|C:\Windows\System32\windows.storage.dll+fd5ac|C:\Windows\System32\windows.storage.dll+fc910|C:\Windows\System32\shell32.dll+49cdf|C:\Windows\System32\shell32.dll+49b6c|C:\Windows\System32\shell32.dll+498bc|C:\Windows\System32\shell32.dll+10d2c7|C:\Windows\System32\shell32.dll+10d225|UNKNOWN(00007FF984B29B5F) 154100x8000000000000000285642Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:29.960{F81F30E6-F6C5-62DF-4A06-000000006F02}11964C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" "C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe"C:\Temp\dcrat.exe" 10341000x8000000000000000285641Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:29.945{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F6C5-62DF-4A06-000000006F02}11964C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000285640Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:29.345{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE6F9858C5F18822ECBBFFEF00525C81,SHA256=B52FFDD15593CE23762A136AD894BEE31054A4B44112D3E5AC75651262A4899F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055481Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:14:29.095{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=668AE224EEB7A317361EBED9A0B1B2F3,SHA256=D9ADB747C707F4436EC63B9A6634927D38774DD5270D7ABF4B486782C01779CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285694Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:30.993{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9D141F192D16D98D491B28A8EDC225A,SHA256=EC2ECB38CD5A733577E243CB94359EEE1DFC7D87D34607D26039089747CFAFA5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285693Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:30.992{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=54330F5BE831C5AE63CCCB1471E83503,SHA256=7022282F41E4DC0ABE3A304238A6167467F08664AF529F5D2030AACBFFADA07C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055482Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:14:30.189{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6FB980C0F953640949ADB9E157BD702C,SHA256=79DEA2C5F8074E9641949E592A242B55E300E6E1ED8B3AE277DADD882271281A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000285692Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:30.097{F81F30E6-D9BD-62DF-9000-000000006F02}46885772C:\Windows\Explorer.EXE{F81F30E6-F6C6-62DF-4C06-000000006F02}13388C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285691Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:30.097{F81F30E6-D9BD-62DF-9000-000000006F02}46885772C:\Windows\Explorer.EXE{F81F30E6-F6C6-62DF-4C06-000000006F02}13388C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285690Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:30.097{F81F30E6-D9BD-62DF-9000-000000006F02}46885772C:\Windows\Explorer.EXE{F81F30E6-F6C6-62DF-4C06-000000006F02}13388C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285689Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:30.097{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F6C6-62DF-4C06-000000006F02}13388C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285688Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:30.097{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F6C6-62DF-4C06-000000006F02}13388C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285687Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:30.076{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-F6C6-62DF-4C06-000000006F02}13388C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285686Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:30.076{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F6C6-62DF-4C06-000000006F02}13388C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285685Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:30.076{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F6C6-62DF-4C06-000000006F02}13388C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285684Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:30.076{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F6C6-62DF-4C06-000000006F02}13388C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285683Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:30.076{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F6C6-62DF-4C06-000000006F02}13388C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285682Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:30.076{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F6C6-62DF-4C06-000000006F02}13388C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285681Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:30.076{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F6C6-62DF-4C06-000000006F02}13388C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285680Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:30.076{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F6C6-62DF-4C06-000000006F02}13388C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285679Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:30.076{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F6C6-62DF-4C06-000000006F02}13388C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285678Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:30.060{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-F6C6-62DF-4C06-000000006F02}13388C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285677Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:30.044{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F6C6-62DF-4C06-000000006F02}13388C:\Windows\system32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285676Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:30.044{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F6C6-62DF-4C06-000000006F02}13388C:\Windows\system32\notepad.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285675Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:30.029{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285674Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:30.029{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285673Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:30.029{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285672Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:30.029{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285671Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:30.029{F81F30E6-D9BA-62DF-8100-000000006F02}38884516C:\Windows\system32\csrss.exe{F81F30E6-F6C6-62DF-4C06-000000006F02}13388C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000285670Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:30.029{F81F30E6-F6C5-62DF-4A06-000000006F02}1196411972C:\Windows\system32\cmd.exe{F81F30E6-F6C6-62DF-4C06-000000006F02}13388C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8564|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000285669Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:30.035{F81F30E6-F6C6-62DF-4C06-000000006F02}13388C:\Windows\System32\notepad.exe10.0.14393.4169 (rs1_release.210107-1130)NotepadMicrosoft® Windows® Operating SystemMicrosoft CorporationNOTEPAD.EXEnotepad.exe C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=BA78FCF8CA9D806C6C047357E31748DE,SHA256=34A07759492E31AEC2A009505FE8DFB50242375C4308AD4657B2872F4F75A077,IMPHASH=968239BE2020F1C0DAFFDCDBD49E9C82{F81F30E6-F6C5-62DF-4A06-000000006F02}11964C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" " 10341000x8000000000000000285668Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:30.029{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F6C6-62DF-4C06-000000006F02}13388C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285667Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:30.013{F81F30E6-D9BD-62DF-9000-000000006F02}46885772C:\Windows\Explorer.EXE{F81F30E6-F6C5-62DF-4A06-000000006F02}11964C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285666Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:30.013{F81F30E6-D9BD-62DF-9000-000000006F02}46885772C:\Windows\Explorer.EXE{F81F30E6-F6C5-62DF-4A06-000000006F02}11964C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285665Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:30.013{F81F30E6-D9BD-62DF-9000-000000006F02}46885772C:\Windows\Explorer.EXE{F81F30E6-F6C5-62DF-4A06-000000006F02}11964C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285664Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:30.013{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F6C5-62DF-4B06-000000006F02}11968C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285663Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:30.013{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F6C5-62DF-4B06-000000006F02}11968C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285662Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:29.997{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-F6C5-62DF-4A06-000000006F02}11964C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285661Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:29.997{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F6C5-62DF-4A06-000000006F02}11964C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285660Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:29.997{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F6C5-62DF-4A06-000000006F02}11964C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285659Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:29.997{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F6C5-62DF-4A06-000000006F02}11964C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285658Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:29.997{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F6C5-62DF-4A06-000000006F02}11964C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285657Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:29.997{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F6C5-62DF-4B06-000000006F02}11968C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285656Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:29.997{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F6C5-62DF-4B06-000000006F02}11968C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285655Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:29.997{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F6C5-62DF-4B06-000000006F02}11968C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285654Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:29.997{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F6C5-62DF-4B06-000000006F02}11968C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000055483Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:14:31.283{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80C4AC147C26FA29268E70043C363BED,SHA256=4A128F11C57C63C9B345929C8086A7E4B622D6C30850768A9984F042F66D537B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000285703Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:31.714{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285702Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:31.714{F81F30E6-D9BD-62DF-9000-000000006F02}46885772C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285701Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:31.714{F81F30E6-D9BD-62DF-9000-000000006F02}46885772C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285700Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:31.714{F81F30E6-D9BD-62DF-9000-000000006F02}46885772C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285699Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:31.714{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285698Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:31.714{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285697Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:31.714{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285696Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:31.714{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000285695Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:31.259{F81F30E6-D98A-62DF-2E00-000000006F02}2780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=0740F10A0114FF48E5E8C1FBD0AB92CB,SHA256=9ED98F0E131734447A5F72155EB92A31D0B1A770540A76F103EB3A5E778833A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055484Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:14:32.377{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=716A0B78FE479B760B61BA34CB4B4DC5,SHA256=600C9EA88E46140A70AB9609CED0C741D7BBE1ECA56C415B04F6D9E3274EA9C3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000285722Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:32.798{F81F30E6-D98B-62DF-3600-000000006F02}31323152C:\Windows\system32\conhost.exe{F81F30E6-F6C8-62DF-4E06-000000006F02}1804C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285721Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:32.796{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285720Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:32.796{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285719Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:32.796{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285718Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:32.796{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285717Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:32.795{F81F30E6-D97A-62DF-0500-000000006F02}412540C:\Windows\system32\csrss.exe{F81F30E6-F6C8-62DF-4E06-000000006F02}1804C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000285716Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:32.795{F81F30E6-D98A-62DF-2E00-000000006F02}27803956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F81F30E6-F6C8-62DF-4E06-000000006F02}1804C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000285715Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:32.794{F81F30E6-F6C8-62DF-4E06-000000006F02}1804C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F81F30E6-D97A-62DF-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000285714Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:30.242{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local65138-false10.0.1.12-8000- 10341000x8000000000000000285713Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:32.377{F81F30E6-F6C8-62DF-4D06-000000006F02}1353210600C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285712Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:32.130{F81F30E6-D98B-62DF-3600-000000006F02}31323152C:\Windows\system32\conhost.exe{F81F30E6-F6C8-62DF-4D06-000000006F02}13532C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285711Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:32.130{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285710Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:32.130{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285709Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:32.130{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285708Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:32.130{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285707Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:32.130{F81F30E6-D97A-62DF-0500-000000006F02}412540C:\Windows\system32\csrss.exe{F81F30E6-F6C8-62DF-4D06-000000006F02}13532C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000285706Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:32.130{F81F30E6-D98A-62DF-2E00-000000006F02}27803956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F81F30E6-F6C8-62DF-4D06-000000006F02}13532C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000285705Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:32.131{F81F30E6-F6C8-62DF-4D06-000000006F02}13532C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{F81F30E6-D97A-62DF-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000285704Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:32.097{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A102F52AE8A9A247EA4F956398B4E91B,SHA256=7533338FF626650FA821DDD43489E274ED3738B0B4CFA2977E4E3BBEB9FE09A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055486Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:14:33.470{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95F614682F6DB43FDEC811CF28A80153,SHA256=85A0B055546CECE95A637BA7F6AA6AD2C7E5F7FB27112A5B51120E906F45E5CC,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000055485Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:14:32.199{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal51176-false10.0.1.12-8000- 10341000x8000000000000000285732Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:33.648{F81F30E6-D98B-62DF-3600-000000006F02}31323152C:\Windows\system32\conhost.exe{F81F30E6-F6C9-62DF-4F06-000000006F02}13624C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285731Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:33.646{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285730Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:33.646{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285729Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:33.645{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285728Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:33.645{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285727Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:33.645{F81F30E6-D97A-62DF-0500-000000006F02}41292C:\Windows\system32\csrss.exe{F81F30E6-F6C9-62DF-4F06-000000006F02}13624C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000285726Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:33.645{F81F30E6-D98A-62DF-2E00-000000006F02}27803956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F81F30E6-F6C9-62DF-4F06-000000006F02}13624C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000285725Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:33.644{F81F30E6-F6C9-62DF-4F06-000000006F02}13624C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F81F30E6-D97A-62DF-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000285724Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:33.197{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A65C9CE1D5B67BA828ED5531AAAA3FA6,SHA256=292AAF4AE004C8A96CE47A5CA0EFA5E45A9664E2956B3824D2A6FDD17B80D6D7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000285723Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:33.139{F81F30E6-F6C8-62DF-4E06-000000006F02}180410180C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000055488Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:14:34.455{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7D123B4D8F05D95CED1A65F588B2D05,SHA256=1A7C2E0EA6660CEFE606C1485FF80CA510221356CF02BD0A0C0B35B7F6AEF300,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000285771Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:34.961{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285770Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:34.961{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285769Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:34.946{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285768Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:34.946{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285767Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:34.930{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285766Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:34.930{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285765Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:34.899{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285764Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:34.899{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000285763Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:34.893{F81F30E6-D97C-62DF-1000-000000006F02}448NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=99A469656F3BAEA616C40EDE21AF564B,SHA256=355A3464506A9FDFF466F29FDA6D195FDA66C43ABECCC2D9C3AA98CB5D80E256,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000285762Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:34.816{F81F30E6-D98B-62DF-3600-000000006F02}31323152C:\Windows\system32\conhost.exe{F81F30E6-F6CA-62DF-5106-000000006F02}7724C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285761Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:34.816{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285760Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:34.816{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285759Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:34.816{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285758Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:34.816{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285757Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:34.816{F81F30E6-D97A-62DF-0500-000000006F02}41292C:\Windows\system32\csrss.exe{F81F30E6-F6CA-62DF-5106-000000006F02}7724C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000285756Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:34.816{F81F30E6-D98A-62DF-2E00-000000006F02}27803956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F81F30E6-F6CA-62DF-5106-000000006F02}7724C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000285755Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:34.817{F81F30E6-F6CA-62DF-5106-000000006F02}7724C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F81F30E6-D97A-62DF-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000285754Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:34.582{F81F30E6-F6CA-62DF-5006-000000006F02}1368413656C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000285753Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-SetValue2022-07-26 14:14:34.551{F81F30E6-D97A-62DF-0B00-000000006F02}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000285752Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-SetValue2022-07-26 14:14:34.551{F81F30E6-D97A-62DF-0B00-000000006F02}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x00728978) 13241300x8000000000000000285751Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-SetValue2022-07-26 14:14:34.551{F81F30E6-D97A-62DF-0B00-000000006F02}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d8a0f1-0xa6358c35) 13241300x8000000000000000285750Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-SetValue2022-07-26 14:14:34.551{F81F30E6-D97A-62DF-0B00-000000006F02}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d8a0fa-0x07f9f435) 13241300x8000000000000000285749Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-SetValue2022-07-26 14:14:34.551{F81F30E6-D97A-62DF-0B00-000000006F02}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d8a102-0x69be5c35) 13241300x8000000000000000285748Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-SetValue2022-07-26 14:14:34.551{F81F30E6-D97A-62DF-0B00-000000006F02}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000285747Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-SetValue2022-07-26 14:14:34.551{F81F30E6-D97A-62DF-0B00-000000006F02}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x00728978) 13241300x8000000000000000285746Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-SetValue2022-07-26 14:14:34.551{F81F30E6-D97A-62DF-0B00-000000006F02}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d8a0f1-0xa6358c35) 13241300x8000000000000000285745Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-SetValue2022-07-26 14:14:34.551{F81F30E6-D97A-62DF-0B00-000000006F02}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d8a0fa-0x07f9f435) 13241300x8000000000000000285744Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-SetValue2022-07-26 14:14:34.551{F81F30E6-D97A-62DF-0B00-000000006F02}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d8a102-0x69be5c35) 10341000x8000000000000000285743Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:34.311{F81F30E6-D98B-62DF-3600-000000006F02}31323152C:\Windows\system32\conhost.exe{F81F30E6-F6CA-62DF-5006-000000006F02}13684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285742Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:34.311{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285741Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:34.311{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285740Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:34.311{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285739Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:34.311{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285738Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:34.311{F81F30E6-D97A-62DF-0500-000000006F02}41292C:\Windows\system32\csrss.exe{F81F30E6-F6CA-62DF-5006-000000006F02}13684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000285737Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:34.311{F81F30E6-D98A-62DF-2E00-000000006F02}27803956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F81F30E6-F6CA-62DF-5006-000000006F02}13684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000285736Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:34.312{F81F30E6-F6CA-62DF-5006-000000006F02}13684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F81F30E6-D97A-62DF-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000285735Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:34.227{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D326C9FBC7F61A8D37C3494BC8D9B5C5,SHA256=394AE25A150E11FE707B6114E864E9C6F1EFEBE193B7468F2F105633E61755A1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000285734Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:34.211{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285733Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:34.211{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000055487Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:14:34.127{53069400-D97D-62DF-1100-000000007002}980NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=64DB73CD78BDF324DE41BC030A10E558,SHA256=B41F8E83814168366A0581B97037462E47F7B6CEC26CBAEBB80D2CD2E32BB65B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055489Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:14:35.548{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A1DF01BE31847AE2FEA656A1791D8E6,SHA256=ECE392F2A2E6815662E019258B3520F948E1A557590DA294E0C42EF8C1878944,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000285795Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:35.932{F81F30E6-D98B-62DF-3600-000000006F02}31323152C:\Windows\system32\conhost.exe{F81F30E6-F6CB-62DF-5306-000000006F02}12596C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285794Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:35.932{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285793Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:35.932{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285792Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:35.932{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285791Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:35.932{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285790Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:35.932{F81F30E6-D97A-62DF-0500-000000006F02}412540C:\Windows\system32\csrss.exe{F81F30E6-F6CB-62DF-5306-000000006F02}12596C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000285789Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:35.932{F81F30E6-D98A-62DF-2E00-000000006F02}27803956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F81F30E6-F6CB-62DF-5306-000000006F02}12596C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000285788Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:35.932{F81F30E6-F6CB-62DF-5306-000000006F02}12596C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F81F30E6-D97A-62DF-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000285787Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:35.317{F81F30E6-D98B-62DF-3600-000000006F02}31323152C:\Windows\system32\conhost.exe{F81F30E6-F6CB-62DF-5206-000000006F02}12316C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285786Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:35.317{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285785Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:35.317{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285784Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:35.317{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285783Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:35.317{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285782Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:35.317{F81F30E6-D97A-62DF-0500-000000006F02}412428C:\Windows\system32\csrss.exe{F81F30E6-F6CB-62DF-5206-000000006F02}12316C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000285781Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:35.317{F81F30E6-D98A-62DF-2E00-000000006F02}27803956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F81F30E6-F6CB-62DF-5206-000000006F02}12316C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000285780Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:35.320{F81F30E6-F6CB-62DF-5206-000000006F02}12316C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F81F30E6-D97A-62DF-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000285779Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:35.317{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61A2155C72CC356DC553B1E16B9145AF,SHA256=E9C810CA1F7C801DDDC574C516173261CCBCBA2954D32D73CF97BB6E8935B0DD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000285778Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:35.117{F81F30E6-F6CA-62DF-5106-000000006F02}77244232C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285777Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:35.117{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285776Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:35.117{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285775Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:35.030{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285774Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:35.030{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285773Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:34.999{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285772Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:34.999{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000055490Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:14:36.644{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C39A7DF9842294F2AD52BBB4E43DA849,SHA256=EE7AA4F30E7E9C5287D2F25E2CAD1F62F061DC448FFFBD16280C53D7AEB9E69E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000285798Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:36.964{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285797Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:36.964{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000285796Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:36.396{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=175104C27F2F0E10021059B6F8DCA885,SHA256=0374172627AD7D58BCB7A77368EBF428E25ECE2A506110127C1197E87E1A6F7F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055491Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:14:37.737{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=366A8EC304386825B0EC12B47487CE55,SHA256=7FA74D3CAF742B9BF19CDECC000F77831C6EF6FE633B0412C842DBA9AFF7E146,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285800Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:37.472{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8CC42211949CF6A6D9D7D6918D2FB43C,SHA256=45C0F09F0D74936D67BFD6D519257EA959C349A96577A0FE716B3EB4708C5B9D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285799Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:37.052{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=251CDD3AF8FCBA205FF7C4D53319F03E,SHA256=1ED882070A789C04B3CA058404574234EFBA5B3711A24CE49208F2F39196BD7E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055493Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:14:38.831{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68F40A4714362E4647834DA87A74BA9A,SHA256=2809CCE5B0E3AA33353B48500972B18835C0B5A7CB76F3B544B95CDD9682E479,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000285802Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:36.083{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local65139-false10.0.1.12-8000- 23542300x8000000000000000285801Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:38.501{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB1FDEC626A1D4ABA68E236B80CE807D,SHA256=95685E4CC29E1D5198DD6AE45614BE455F44A39A3B632FB19BDDB63B50D2381C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000055492Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:14:37.198{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal51177-false10.0.1.12-8000- 23542300x800000000000000055494Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:14:39.925{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6CF26D012551BF0E023D3EC8577352A2,SHA256=1631BF0D11409A4EDD3473039D3F4971AD18BAD2F1D1D6A9684777F870280100,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285803Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:39.551{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23309284C708F967B874FFB9AEC88CBC,SHA256=67BF7BD3809B20040A6259593F023AF07483C0170BF9D5AA0AB81C8628DE7302,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055495Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:14:40.960{53069400-D97D-62DF-1C00-000000007002}1896NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0923b0b66bc46ec04\channels\health\respondent-20220726120936-121MD5=F10909D358012860607A88999540BE61,SHA256=618099B8C52552D13629F748BAC7127C20F9D45615160D64360388A771E36D7B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285804Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:40.581{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F73EFBD317CF7106D3EFC6A6D11A5D1,SHA256=17A78FAFFFA568BE2363FB2FCD3F0558CEEFACEA64624178438CF70CFF0212A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055497Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:14:41.961{53069400-D97D-62DF-1C00-000000007002}1896NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0923b0b66bc46ec04\channels\health\surveyor-20220726120934-122MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285805Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:41.617{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43178CBC9AD9834705615FF92BD2CF46,SHA256=4E12B3CA03E04F31CEF958570B8800D1D15118B9B3954BBAB45172E5A5B9E317,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055496Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:14:41.023{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21E1FC1CE7D8C341457FEC961D839CBC,SHA256=F2A3050CE4B0B847C12DF66D37A6A87D33BC4186C00E1D091C0BF1C084003378,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055499Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:14:42.992{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C027863DF5EDFE274D6DF3821DE31F9,SHA256=AD5E903CFC86AA45D84B22F2AEE6E980D82D09BDE59928EDF06F6C54C49AEEEE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285806Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:42.747{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3ABD9993A13625191C1DC4CC0CEF7BFC,SHA256=4279AA2F3601943ACDDE102AAEDCF6726928F2ABDC6D58D3AD9208DC2803B1A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055498Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:14:42.006{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55463D421728180D474FA582F518314C,SHA256=BF0E4287A9D9CE664D94941BA65B819E952AF31139976A34B260460B12CD3064,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285869Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:43.946{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6D21A67E725D44B61627A629574B126,SHA256=B4ECC3349BB405DB47A3AF8C1B8F0096806DDDBA1473E555A5E7AB4BED7591D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285868Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:43.946{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=796DD6B14FCC5A64279787C558FE2E76,SHA256=02E73D3AEFFB13CDFBE56AA0154F911B72241EC5CFE5F463D6908DAB92123082,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000285867Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:41.225{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local65140-false10.0.1.12-8000- 10341000x8000000000000000285866Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:43.416{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285865Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:43.416{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285864Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:43.416{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285863Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:43.416{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285862Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:43.378{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285861Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:43.378{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285860Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:43.378{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285859Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:43.378{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285858Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:43.263{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F6D3-62DF-5606-000000006F02}13800C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285857Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:43.263{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F6D3-62DF-5606-000000006F02}13800C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285856Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:43.263{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F6D3-62DF-5606-000000006F02}13800C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285855Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:43.263{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F6D3-62DF-5606-000000006F02}13800C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285854Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:43.263{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F6D3-62DF-5606-000000006F02}13800C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285853Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:43.247{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-F6D3-62DF-5606-000000006F02}13800C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285852Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:43.247{F81F30E6-D9BD-62DF-9000-000000006F02}46885772C:\Windows\Explorer.EXE{F81F30E6-F6D3-62DF-5606-000000006F02}13800C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285851Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:43.247{F81F30E6-D9BD-62DF-9000-000000006F02}46885772C:\Windows\Explorer.EXE{F81F30E6-F6D3-62DF-5606-000000006F02}13800C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285850Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:43.247{F81F30E6-D9BD-62DF-9000-000000006F02}46885772C:\Windows\Explorer.EXE{F81F30E6-F6D3-62DF-5606-000000006F02}13800C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285849Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:43.247{F81F30E6-D9BD-62DF-9000-000000006F02}46885772C:\Windows\Explorer.EXE{F81F30E6-F6D3-62DF-5606-000000006F02}13800C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285848Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:43.247{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F6D3-62DF-5606-000000006F02}13800C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285847Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:43.247{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F6D3-62DF-5606-000000006F02}13800C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285846Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:43.247{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F6D3-62DF-5606-000000006F02}13800C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285845Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:43.247{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F6D3-62DF-5606-000000006F02}13800C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285844Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:43.231{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-F6D3-62DF-5606-000000006F02}13800C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285843Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:43.216{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F6D3-62DF-5606-000000006F02}13800C:\Windows\system32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285842Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:43.216{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F6D3-62DF-5606-000000006F02}13800C:\Windows\system32\notepad.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285841Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:43.200{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285840Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:43.200{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285839Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:43.200{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285838Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:43.200{F81F30E6-D9BA-62DF-8100-000000006F02}38882172C:\Windows\system32\csrss.exe{F81F30E6-F6D3-62DF-5606-000000006F02}13800C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000285837Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:43.200{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285836Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:43.200{F81F30E6-F6D3-62DF-5406-000000006F02}1305213056C:\Windows\system32\cmd.exe{F81F30E6-F6D3-62DF-5606-000000006F02}13800C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8564|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000285835Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:43.208{F81F30E6-F6D3-62DF-5606-000000006F02}13800C:\Windows\System32\notepad.exe10.0.14393.4169 (rs1_release.210107-1130)NotepadMicrosoft® Windows® Operating SystemMicrosoft CorporationNOTEPAD.EXEnotepad.exe C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=BA78FCF8CA9D806C6C047357E31748DE,SHA256=34A07759492E31AEC2A009505FE8DFB50242375C4308AD4657B2872F4F75A077,IMPHASH=968239BE2020F1C0DAFFDCDBD49E9C82{F81F30E6-F6D3-62DF-5406-000000006F02}13052C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" " 10341000x8000000000000000285834Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:43.200{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F6D3-62DF-5606-000000006F02}13800C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285833Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:43.178{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F6D3-62DF-5406-000000006F02}13052C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285832Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:43.178{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F6D3-62DF-5406-000000006F02}13052C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285831Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:43.178{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F6D3-62DF-5406-000000006F02}13052C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285830Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:43.178{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F6D3-62DF-5506-000000006F02}13092C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285829Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:43.178{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F6D3-62DF-5506-000000006F02}13092C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285828Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:43.163{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-F6D3-62DF-5406-000000006F02}13052C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285827Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:43.163{F81F30E6-D9BD-62DF-9000-000000006F02}46885772C:\Windows\Explorer.EXE{F81F30E6-F6D3-62DF-5406-000000006F02}13052C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285826Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:43.163{F81F30E6-D9BD-62DF-9000-000000006F02}46885772C:\Windows\Explorer.EXE{F81F30E6-F6D3-62DF-5406-000000006F02}13052C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285825Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:43.163{F81F30E6-D9BD-62DF-9000-000000006F02}46885772C:\Windows\Explorer.EXE{F81F30E6-F6D3-62DF-5406-000000006F02}13052C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285824Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:43.163{F81F30E6-D9BD-62DF-9000-000000006F02}46885772C:\Windows\Explorer.EXE{F81F30E6-F6D3-62DF-5406-000000006F02}13052C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285823Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:43.163{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F6D3-62DF-5506-000000006F02}13092C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285822Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:43.163{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F6D3-62DF-5506-000000006F02}13092C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285821Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:43.163{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F6D3-62DF-5506-000000006F02}13092C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285820Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:43.163{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F6D3-62DF-5506-000000006F02}13092C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285819Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:43.147{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F6D3-62DF-5506-000000006F02}13092C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285818Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:43.147{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F6D3-62DF-5506-000000006F02}13092C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285817Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:43.132{F81F30E6-F6D3-62DF-5506-000000006F02}1309213120C:\Windows\system32\conhost.exe{F81F30E6-F6D3-62DF-5406-000000006F02}13052C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285816Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:43.116{F81F30E6-D9BA-62DF-8100-000000006F02}38884516C:\Windows\system32\csrss.exe{F81F30E6-F6D3-62DF-5506-000000006F02}13092C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000285815Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:43.116{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F6D3-62DF-5506-000000006F02}13092C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285814Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:43.116{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285813Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:43.116{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285812Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:43.116{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285811Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:43.116{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285810Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:43.116{F81F30E6-D9BA-62DF-8100-000000006F02}38882172C:\Windows\system32\csrss.exe{F81F30E6-F6D3-62DF-5406-000000006F02}13052C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000285809Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:43.116{F81F30E6-F163-62DF-1F04-000000006F02}226412992C:\Temp\dcrat.exe{F81F30E6-F6D3-62DF-5406-000000006F02}13052C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\System32\windows.storage.dll+16e7eb|C:\Windows\System32\windows.storage.dll+16e501|C:\Windows\System32\windows.storage.dll+16e14e|C:\Windows\System32\windows.storage.dll+16f3f0|C:\Windows\System32\windows.storage.dll+16de9e|C:\Windows\System32\windows.storage.dll+fce6d|C:\Windows\System32\windows.storage.dll+fd5ac|C:\Windows\System32\windows.storage.dll+fc910|C:\Windows\System32\shell32.dll+49cdf|C:\Windows\System32\shell32.dll+49b6c|C:\Windows\System32\shell32.dll+498bc|C:\Windows\System32\shell32.dll+10d2c7|C:\Windows\System32\shell32.dll+10d225|UNKNOWN(00007FF984B29B5F) 154100x8000000000000000285808Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:43.117{F81F30E6-F6D3-62DF-5406-000000006F02}13052C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" "C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe"C:\Temp\dcrat.exe" 10341000x8000000000000000285807Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:43.116{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F6D3-62DF-5406-000000006F02}13052C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000055501Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:14:43.109{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal51178-false10.0.1.12-8000- 23542300x800000000000000055500Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:14:44.085{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64DAFF42B6A944F859EC48F0D250A31F,SHA256=530EC5DA59CD43DAE4CB6AB4E4996FA298F401B803F5E7CC02EB873D80C216C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285870Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:44.215{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7B5A6C40E43824B87CA090F103B9C2FB,SHA256=9101B695A40819B867FC5EBB064AF44C93C7B3FB47A866836C7B3978B86C5640,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055502Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:14:45.179{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A2BCD8C729047551CCA2010747DDF3D,SHA256=738F90BCC46993D0F4B4FC4F91026B8A2FC8A2442AB83DD3A5D258B6F426F396,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285871Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:45.061{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B68E31A62B795DBAADD715CF02153C3B,SHA256=096EE56855B315A44B5F9B47F310618307D2FA51AC8FF70D1BE79908C32C1DAA,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000285876Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:46.546{F81F30E6-DAB4-62DF-BF00-000000006F02}2464C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\e57grxtg.default-release\SiteSecurityServiceState-1.txt2022-07-26 14:14:46.546 23542300x8000000000000000285875Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:46.546{F81F30E6-DAB4-62DF-BF00-000000006F02}2464ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\e57grxtg.default-release\SiteSecurityServiceState-1.txtMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000285874Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:46.546{F81F30E6-DAB4-62DF-BF00-000000006F02}2464C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\e57grxtg.default-release\SiteSecurityServiceState-1.txt2022-07-26 14:14:46.546 10341000x8000000000000000285873Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:46.330{F81F30E6-D97C-62DF-0D00-000000006F02}9123628C:\Windows\system32\svchost.exe{F81F30E6-D9BC-62DF-8700-000000006F02}4224C:\Windows\System32\rdpclip.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000285872Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:46.194{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D3FF6AE5275DEC2E3F39DDDD36DEF5E,SHA256=EB8C1D833455C6CFC7793EB8681E5E46566ADBD83DBCD5D76238FD3282847788,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055504Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:14:46.288{53069400-D97D-62DF-1E00-000000007002}1940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=179B82772CA5CC0B7A1E30B10EC3DA68,SHA256=BB39CA45713EEF29F8964A50A9025571F90083A2F6169622A7CAAB4EAC5409CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055503Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:14:46.273{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8B37FC526BE498D2EFC49B9F2C6DEA9,SHA256=C095E67593C510ECDE310F3E1312231881C9D0CB9B80CD50623A45E1BE611F73,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285877Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:47.245{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB607317B73AC9EF00AD37157B5D2ACE,SHA256=6836423E755DA3435CEE2D5CA9533916B1A7729A1A72DE63303191DBF0FE9069,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000055507Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:14:46.343{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal51179-false10.0.1.12-8089- 23542300x800000000000000055506Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:14:47.507{53069400-D97D-62DF-1E00-000000007002}1940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=AC754D1D58F3F3562A8E81F4EA90663B,SHA256=5CB9AB75BE67CC63C0671105560D657AA844FCC37428975CD6FBE4B362EC907C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055505Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:14:47.367{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F96DA02BA81B9475FA6FA97AC90809E,SHA256=7B41DA62CCD49E80963746BFD030DB555928AEDD51B58FF3F3F0CC2FCD822D36,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285878Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:48.262{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41745FFE128F95D391C60F662FAD1ECB,SHA256=F2975117D59A718A8BEF90A89638B6C6B061613B4F787E1D8407C3C427ABC73C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055508Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:14:48.460{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9805807337741788DA822D448225FE5D,SHA256=9D5032FEE2F8F9A28E86FFCF5740060F7CA415191A8BE5B869CAEE0A7B299699,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000055510Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:14:48.281{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal51180-false10.0.1.12-8000- 23542300x800000000000000055509Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:14:49.554{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B54DE0AF3C0796753E0F5EADE772479,SHA256=19F35793F15192376A9A3E28A85D927E054E7E7D49581931D9014AAB4A4DFD7D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000285881Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:47.092{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local65141-false10.0.1.12-8000- 23542300x8000000000000000285880Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:49.394{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7E0A5C17960B076AB0D1CECFE99FDEE,SHA256=58DE07B4BC1A8E071633FBA22F481C701D6E854B58534E93F0C2E7F29680412F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285879Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:49.261{F81F30E6-D98A-62DF-2E00-000000006F02}2780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=375770933B088FA1013E9C17F7ACFA9C,SHA256=12DC730ED0C3CEF15E2072F184E79ED116E6C7FEA32581084F03B1ADA228E22B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055511Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:14:50.648{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69545CB7DE136C7B3B536A7D228F748D,SHA256=A585CBB0940B023EEC19103425E991BE9ACE31CBBE10C39A505FD093AF6FB07B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285882Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:50.429{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C4090A21CC894F0328C1FB645D98903,SHA256=466FE15DEA01233B5C3B524AC0784E83C7A54A29261E36F010B574813C5BDD13,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055512Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:14:51.742{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BEC4A19D67C7E80A96AF8B564F226579,SHA256=C16A36B774515475F5FF2CDA8E5A4086944338C1C4C9AF31470DD2CB40D68C94,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000285884Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:48.277{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local65142-false10.0.1.12-8089- 23542300x8000000000000000285883Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:51.530{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86919392A611EF84CA4B59C84DA2E361,SHA256=ECD413DF86BC643BD4F1FC70C05ED319CC3B17B114C2B92FDCBBB05088DD422E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055513Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:14:52.835{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC0FA52DE94F83A7ACC0861BC1527046,SHA256=41147EBAAB80B5EC427C798657B4253AEEB1E2423EBA202E7721A45612D50758,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285885Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:52.676{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B88FF03BB16BE35C4F59181180BF55A,SHA256=035047964A28AB67ACBB9A80F9A862664F220EF53CA556C52A8A7960F2193C4C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055514Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:14:53.929{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=139C2FDAFCD1A4B965955C796D179BAC,SHA256=3FE0B39651FF23305F401468A6DDF804DF23CE8221B1BCBDCD4C301FD5CE42C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285886Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:53.694{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=255870A486C74D66CF76D51EAFB9D98A,SHA256=3E779BC317A7E7D6E98D21EEA9E7F2B3DC89598D39FDD3462D86681C93DC8DF8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285888Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:54.742{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB8E338DF1F043B812A4617CE9731FBD,SHA256=CD236AA9174C4D411ED2B232430BCB9D58DE18D117B15356FF00A62F6DA97620,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000285887Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:52.275{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local65143-false10.0.1.12-8000- 23542300x8000000000000000285891Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:55.773{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47A14B081E0B34D94B69018A841D7C05,SHA256=87BDD45B42392F08449D8F78A74F539E7217463E1E6EB566EDF50D5E00AC7E7F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055515Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:14:55.023{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B47FC718869A2D19323CFED9490FA198,SHA256=0635086F9A38C9ACA421230389E47D9FBBA6D7F098444581C85355D7C7674443,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285890Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:55.553{F81F30E6-DAB4-62DF-BF00-000000006F02}2464ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\e57grxtg.default-release\datareporting\glean\db\data.safe.binMD5=CE34B66130596B2A3C7C90E3AC814DF1,SHA256=473125156E2DFEC249DBE2EC185A338AE40880785F6438CA3DF2981C2B10AAA2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285889Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:55.444{F81F30E6-D98A-62DF-2900-000000006F02}2592NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f0cc84e036a5373b\channels\health\respondent-20220726120948-121MD5=369DD308E953FB115558C25A87FA7436,SHA256=F8D888C61BEF90997E9DA9024DED7AC04FA2757575784335A529296D09245F18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285893Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:56.790{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=662862C3662B4D5CC8167868BB10E9EE,SHA256=CF5FFB9BC176FD99C23D50D087B43A66D0F5A34709A0BD7D5E229B34E5F855BA,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000055517Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:14:54.203{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal51181-false10.0.1.12-8000- 23542300x800000000000000055516Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:14:56.116{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F89425A438B92F16A5AB421C883E681A,SHA256=78B64D03FF5679D16D17DEE3264BB905CDF93DECB1EF396B0CF61BC740BCC60C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285892Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:56.457{F81F30E6-D98A-62DF-2900-000000006F02}2592NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f0cc84e036a5373b\channels\health\surveyor-20220726120946-122MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285894Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:57.840{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31D262C34B87FF128923A360A16E5C6E,SHA256=6798832597FB6733E40805C94859C7F5F981D5E84DE35DDEC508232D984F8572,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055518Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:14:57.210{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63F63E709C65F2E764886509773C2C7C,SHA256=907CDE4172D04E346DA2733A6CCCD4BFBF47F576DC0AD30BBA96B03214082547,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285897Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:58.989{F81F30E6-DAB4-62DF-BF00-000000006F02}2464ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\e57grxtg.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285896Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:58.988{F81F30E6-DAB4-62DF-BF00-000000006F02}2464ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\e57grxtg.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shmMD5=A11A547A5C92477FF9AD5659CE1B5282,SHA256=6DFE819832FBE2759D7ACF7EFB1EC614348EF5E5D60C11E7EED3EFCEC860DEC2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285895Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:58.971{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5DE622563461B4774834CDDF4229C6A6,SHA256=05FE7393C8401FDF7BBA84478449907BC3C2F89223DC8DFA6EDE4EAA3DBBE9A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055519Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:14:58.304{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F45F8BC8D447EBE6B5F5675F72A425C,SHA256=59A8F8938DA6C87272051AD094960D02D1BE8F96AECEECF6DB7E10F1DA827C80,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285898Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:59.990{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9447DC30F0848B4EFF4F27BBC7C845EA,SHA256=E8CDD9CE7957DFDB17F34BF5B52150988FC252606B7F2A0B952569684F4D43C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055520Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:14:59.398{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C0536C015DD072F22D8A169A8E87407,SHA256=70558650615DD250B935E702476A29F54101BFB53DD51DDC096D9098A0899EF4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055521Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:15:00.492{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C73F9FA4539C81016E4926CE9D059051,SHA256=2B1B81978B3264B95BA4F299253304D0A3EEBE471DEA22011E8D6C4009E4DA11,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000285899Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:14:58.039{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local65144-false10.0.1.12-8000- 23542300x800000000000000055523Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:15:01.585{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5FF2944B64776C38B2697CC125C0140,SHA256=8F298B7FD9CBBB9D3E2611CE1055F640122E37614E568F35DCB0DC13371B1D30,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285901Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:15:01.492{F81F30E6-D98A-62DF-2E00-000000006F02}2780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=94B60B5DFD39632FFA2A450BE90AB147,SHA256=4F61DCFB6C2A673C83CFA8A157B96CDA1E5263AE8A10CFEC6B49EAE12C941842,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285900Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:15:01.025{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D16FD34447F2474905F141E134AF398,SHA256=CE990BF2A7BFF277615B565869CC1841F5CCCF24B4DAE2AFB745EBD93D82C398,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000055522Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:14:59.203{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal51182-false10.0.1.12-8000- 23542300x800000000000000055524Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:15:02.679{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE851876CC095D6AB3BD6ED75B13564A,SHA256=3ED7862692623E5EE7E1871ACE9F3FACD409713CA0B549226D4A5E0DD6BD9726,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285902Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:15:02.055{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A550F28CF414EB7646E7AA402A9C4294,SHA256=3D94C54200006C3887A38A8A67856B24B33C78E1F6DF8CD7931543F306BB0A4D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055525Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:15:03.774{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CDCF926F48D2418BA756561F09009D76,SHA256=17CDE97F947E36476431B63140412486B9EA7ACB31B0EF17DD65E27F541393FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285904Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:15:03.906{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0A32D0C90349D83072A3FCF84DA64EB2,SHA256=B9DA8F862D6D6CFD8CCE1091ADBD8DDD2D266B415B2A3E0F10FC023FB92F2C1A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285903Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:15:03.107{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21251053FBDC8C0D838F4F4F34885289,SHA256=5D128751ADE3E48F459425337C96DC72F968848C65F04F86C6EF274E134884C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055526Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:15:04.867{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C981861E64FE352DB1D0179FF2C234E,SHA256=01119506B35FF1BAFC9CC91B1617818B54172A37F558DAADEE377608F1B2BA2D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285907Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:15:04.140{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB25AECB18266EF4E6E8E2BE286A6D80,SHA256=88746DAB076AF094A2184BC5293EC98651F10CAE5BC37B155E88D371FED7EF8D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000285906Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:15:01.838{F81F30E6-D97A-62DF-0B00-000000006F02}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local65145-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local389ldap 354300x8000000000000000285905Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:15:01.838{F81F30E6-D98A-62DF-2600-000000006F02}2568C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local65145-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local389ldap 23542300x800000000000000055527Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:15:05.960{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3AB2F74540D73F11E3F4E9235F8857EA,SHA256=02B24EA652FB60FFEA2223DBDA12E786A8B77135C23B60F737E6ED22B62CF940,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285908Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:15:05.187{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64DC57F58D8DA16578A1805D3448A5F3,SHA256=FEA01A3CA3AFEE974F25149904FE21FB12EC479B672D06FFD181B8E1C4A0EFB5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000285946Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:15:06.323{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2C00-000000006F02}2668C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285945Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:15:06.323{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2C00-000000006F02}2668C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285944Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:15:06.323{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BE-62DF-9400-000000006F02}5104C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285943Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:15:06.323{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BE-62DF-9400-000000006F02}5104C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285942Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:15:06.323{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BE-62DF-9400-000000006F02}5104C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285941Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:15:06.323{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BE-62DF-9300-000000006F02}5000C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285940Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:15:06.323{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BE-62DF-9300-000000006F02}5000C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285939Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:15:06.323{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BE-62DF-9300-000000006F02}5000C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285938Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:15:06.323{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BE-62DF-9300-000000006F02}5000C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285937Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:15:06.323{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BE-62DF-9300-000000006F02}5000C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285936Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:15:06.323{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BE-62DF-9300-000000006F02}5000C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285935Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:15:06.323{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BE-62DF-9300-000000006F02}5000C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285934Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:15:06.323{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BE-62DF-9300-000000006F02}5000C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285933Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:15:06.323{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BE-62DF-9300-000000006F02}5000C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285932Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:15:06.323{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BD-62DF-9000-000000006F02}4688C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285931Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:15:06.323{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BD-62DF-9000-000000006F02}4688C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285930Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:15:06.323{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BD-62DF-9000-000000006F02}4688C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285929Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:15:06.323{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BD-62DF-9000-000000006F02}4688C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285928Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:15:06.323{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BD-62DF-9000-000000006F02}4688C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285927Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:15:06.323{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BD-62DF-9000-000000006F02}4688C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285926Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:15:06.323{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BD-62DF-9000-000000006F02}4688C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285925Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:15:06.323{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BD-62DF-9000-000000006F02}4688C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285924Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:15:06.323{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BD-62DF-9000-000000006F02}4688C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285923Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:15:06.323{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BD-62DF-9000-000000006F02}4688C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285922Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:15:06.323{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BD-62DF-9000-000000006F02}4688C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285921Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:15:06.323{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BD-62DF-9000-000000006F02}4688C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285920Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:15:06.323{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BD-62DF-9000-000000006F02}4688C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285919Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:15:06.323{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BD-62DF-9000-000000006F02}4688C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285918Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:15:06.323{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BD-62DF-9000-000000006F02}4688C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285917Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:15:06.323{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BD-62DF-9000-000000006F02}4688C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285916Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:15:06.323{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BD-62DF-9000-000000006F02}4688C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285915Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:15:06.323{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BD-62DF-9000-000000006F02}4688C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285914Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:15:06.323{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BD-62DF-9000-000000006F02}4688C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285913Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:15:06.323{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BD-62DF-9000-000000006F02}4688C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285912Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:15:06.323{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BD-62DF-9000-000000006F02}4688C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285911Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:15:06.323{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BD-62DF-9000-000000006F02}4688C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000285910Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:15:06.307{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=736812D06709E51622868BC42878F34D,SHA256=67652C4685D01077ECA83D37C8247CE18912A1E44D805761EC35679170635743,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000055528Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:15:04.265{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal51183-false10.0.1.12-8000- 354300x8000000000000000285909Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:15:03.239{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local65146-false10.0.1.12-8000- 23542300x8000000000000000285947Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:15:07.639{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64E9252967C5478CFC30BBB2515566FC,SHA256=B7FC50145FD4C493E16C8652CA92E8E0FFF3484F826F486B01D2E93BE0DB4191,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055529Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:15:07.054{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE8CFDAC11085459E7632B7A50425B2F,SHA256=02683EEFBB167812B1319BA083A2FC62664543853ECE678F76021B1804243CB7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285948Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:15:08.668{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EDFD9FFD2FB3FB170E3557B72CB18758,SHA256=B500F48FBEC01E1BD28D87C448146CE2BC62ADF340CCDC9E0B596738298C483D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055530Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:15:08.148{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=040EA4DAA15FC8F59EDF01B7A3AF5B76,SHA256=B1E640589F61E74BBAD6B72634517903AEBEA3A4B84654A5B40F2FDB79D13021,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285949Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:15:09.820{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=284F8708A822A0B739833C82B39631EB,SHA256=5B35019D25A4FECED25284C7F8E3406986892346A1B5B3B160F84C6E8B4855AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055531Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:15:09.241{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5D29471658887C26A9F164B2BC68545,SHA256=2093AA365C87A5CEE8B71A5591267E1981279F504B53EF807BD4AC4177EDA1A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285950Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:15:10.866{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84A2AA2E1B11E56913EBACD687F4757F,SHA256=06824C77CFF221B0556B39C22A3DC6E24A1AE2C28C5A3B8ECC76E0A6BED645AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055532Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:15:10.335{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9ACD7EA7D5CDB87A56F0168405DF4BDA,SHA256=09EF8513C477C824A89BD9002DB250A615B302493A9B5D242B98F430682D413F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285951Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:15:11.918{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB9CE8CEFC595411F911DA0D568BA2B0,SHA256=8F0FBF6DC436D741FF86C2C91311B3924B3670D10D99AD74D15D718102E2E5F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055533Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:15:11.429{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1644C0E930B0A1B107CBD2A8DAD4A6EC,SHA256=EB0C2F94CAD46EEDC235A6883ED24F15204AAD2E995AD72FDF7A43AF6009C7B0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000055563Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:15:12.788{53069400-F6F0-62DF-E903-000000007002}38123836C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055562Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:15:12.601{53069400-D97E-62DF-2900-000000007002}27802800C:\Windows\system32\conhost.exe{53069400-F6F0-62DF-E903-000000007002}3812C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055561Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:15:12.601{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055560Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:15:12.601{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055559Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:15:12.601{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055558Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:15:12.601{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055557Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:15:12.601{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055556Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:15:12.601{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055555Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:15:12.601{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055554Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:15:12.601{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055553Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:15:12.601{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055552Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:15:12.601{53069400-D97C-62DF-0500-000000007002}412540C:\Windows\system32\csrss.exe{53069400-F6F0-62DF-E903-000000007002}3812C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000055551Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:15:12.601{53069400-D97D-62DF-1E00-000000007002}19402768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53069400-F6F0-62DF-E903-000000007002}3812C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000055550Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:15:12.602{53069400-F6F0-62DF-E903-000000007002}3812C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53069400-D97C-62DF-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000055549Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:15:12.523{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D7C0DC64D7EAB9AC8AA2902E5387C3A,SHA256=D8E2149605628E0E98A764726367BD5861784DFC7AD4B38408FC5FF5E7F6E709,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000285952Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:15:09.066{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local65147-false10.0.1.12-8000- 10341000x800000000000000055548Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:15:12.288{53069400-F6F0-62DF-E803-000000007002}3688104C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000055547Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:15:10.281{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal51184-false10.0.1.12-8000- 10341000x800000000000000055546Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:15:12.101{53069400-D97E-62DF-2900-000000007002}27802800C:\Windows\system32\conhost.exe{53069400-F6F0-62DF-E803-000000007002}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055545Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:15:12.101{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055544Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:15:12.101{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055543Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:15:12.101{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055542Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:15:12.101{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055541Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:15:12.101{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055540Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:15:12.101{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055539Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:15:12.101{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055538Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:15:12.101{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055537Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:15:12.101{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055536Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:15:12.101{53069400-D97C-62DF-0500-000000007002}412540C:\Windows\system32\csrss.exe{53069400-F6F0-62DF-E803-000000007002}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000055535Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:15:12.101{53069400-D97D-62DF-1E00-000000007002}19402768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53069400-F6F0-62DF-E803-000000007002}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000055534Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:15:12.102{53069400-F6F0-62DF-E803-000000007002}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53069400-D97C-62DF-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000055591Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:15:13.851{53069400-D97E-62DF-2900-000000007002}27802800C:\Windows\system32\conhost.exe{53069400-F6F1-62DF-EB03-000000007002}3484C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055590Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:15:13.851{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055589Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:15:13.851{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055588Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:15:13.851{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055587Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:15:13.851{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055586Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:15:13.851{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055585Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:15:13.851{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055584Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:15:13.851{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055583Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:15:13.851{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055582Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:15:13.851{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055581Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:15:13.851{53069400-D97C-62DF-0500-000000007002}412428C:\Windows\system32\csrss.exe{53069400-F6F1-62DF-EB03-000000007002}3484C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000055580Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:15:13.851{53069400-D97D-62DF-1E00-000000007002}19402768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53069400-F6F1-62DF-EB03-000000007002}3484C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000055579Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:15:13.853{53069400-F6F1-62DF-EB03-000000007002}3484C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53069400-D97C-62DF-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000055578Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:15:13.851{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=732A1DA687FF3DDC6D12890BC63DCCE1,SHA256=E5637E8AE13BD664D936CB76EDFB204F67FC4940BAA7BAEB40B1C79DB243B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285953Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:15:13.064{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18AF70D9341BF36718577AC97425D1FB,SHA256=828D57490AF497F307A881DCE0ECEEE79F20E0AC2B8ABAAECCFF51A8C86B2515,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000055577Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:15:13.226{53069400-D97E-62DF-2900-000000007002}27802800C:\Windows\system32\conhost.exe{53069400-F6F1-62DF-EA03-000000007002}3728C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055576Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:15:13.226{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055575Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:15:13.226{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055574Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:15:13.226{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055573Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:15:13.226{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055572Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:15:13.226{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055571Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:15:13.226{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055570Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:15:13.226{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055569Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:15:13.226{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055568Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:15:13.226{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055567Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:15:13.226{53069400-D97C-62DF-0500-000000007002}412540C:\Windows\system32\csrss.exe{53069400-F6F1-62DF-EA03-000000007002}3728C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000055566Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:15:13.226{53069400-D97D-62DF-1E00-000000007002}19402768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53069400-F6F1-62DF-EA03-000000007002}3728C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000055565Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:15:13.227{53069400-F6F1-62DF-EA03-000000007002}3728C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53069400-D97C-62DF-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000055564Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:15:13.210{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9881F7777BA17471E0EF8EFE29621684,SHA256=2A320048E8141EC34F95BAA53F535DE609EF514176790B4843CEA438DACF45E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285954Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:15:14.081{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CF4CEB41EEF03666B9D675EA6BAE84A,SHA256=438ABC29CB0AB25310E659F26D77BDC707DCCE0B0A54064250F6D05AA1BE612C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000055605Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:15:14.632{53069400-F6F2-62DF-EC03-000000007002}35163788C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055604Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:15:14.460{53069400-D97E-62DF-2900-000000007002}27802800C:\Windows\system32\conhost.exe{53069400-F6F2-62DF-EC03-000000007002}3516C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055603Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:15:14.460{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055602Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:15:14.460{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055601Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:15:14.460{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055600Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:15:14.460{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055599Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:15:14.460{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055598Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:15:14.460{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055597Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:15:14.460{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055596Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:15:14.460{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055595Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:15:14.460{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055594Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:15:14.460{53069400-D97C-62DF-0500-000000007002}412428C:\Windows\system32\csrss.exe{53069400-F6F2-62DF-EC03-000000007002}3516C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000055593Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:15:14.460{53069400-D97D-62DF-1E00-000000007002}19402768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53069400-F6F2-62DF-EC03-000000007002}3516C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000055592Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:15:14.461{53069400-F6F2-62DF-EC03-000000007002}3516C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53069400-D97C-62DF-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000285955Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:15:15.200{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FFB6757CC56E1400B68B9F1BFC5AC8F8,SHA256=7929349E92F3E8BD6F34989AC664ADED712B071B06696A6973F96D455D079266,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000055633Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:15:15.710{53069400-D97E-62DF-2900-000000007002}27802800C:\Windows\system32\conhost.exe{53069400-F6F3-62DF-EE03-000000007002}3844C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055632Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:15:15.710{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055631Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:15:15.710{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055630Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:15:15.710{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055629Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:15:15.710{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055628Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:15:15.710{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055627Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:15:15.710{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055626Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:15:15.710{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055625Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:15:15.710{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055624Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:15:15.710{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055623Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:15:15.710{53069400-D97C-62DF-0500-000000007002}412540C:\Windows\system32\csrss.exe{53069400-F6F3-62DF-EE03-000000007002}3844C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000055622Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:15:15.710{53069400-D97D-62DF-1E00-000000007002}19402768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53069400-F6F3-62DF-EE03-000000007002}3844C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000055621Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:15:15.711{53069400-F6F3-62DF-EE03-000000007002}3844C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53069400-D97C-62DF-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000055620Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:15:15.273{53069400-F6F3-62DF-ED03-000000007002}3456664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055619Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:15:15.085{53069400-D97E-62DF-2900-000000007002}27802800C:\Windows\system32\conhost.exe{53069400-F6F3-62DF-ED03-000000007002}3456C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055618Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:15:15.085{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055617Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:15:15.085{53069400-D97C-62DF-0500-000000007002}412540C:\Windows\system32\csrss.exe{53069400-F6F3-62DF-ED03-000000007002}3456C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000055616Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:15:15.085{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055615Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:15:15.085{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055614Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:15:15.085{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055613Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:15:15.085{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055612Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:15:15.085{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055611Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:15:15.085{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055610Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:15:15.085{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055609Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:15:15.085{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055608Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:15:15.085{53069400-D97D-62DF-1E00-000000007002}19402768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53069400-F6F3-62DF-ED03-000000007002}3456C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000055607Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:15:15.088{53069400-F6F3-62DF-ED03-000000007002}3456C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{53069400-D97C-62DF-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000055606Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:15:15.085{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64CACA750EEA717A5EDA811E853E3D7F,SHA256=24887FCB1454DC9185B4C7C9B2C1A245D81942A3CE217A5EB45B470E849FBFF1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285956Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:15:16.246{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0F24FC566B37CEF64E38E528B96B678,SHA256=35393397E74DC6F999FBAEC0CF5172D0E525AA484A461AEF5152E118C61FC30F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055634Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:15:16.335{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30966F7D082E7EBA1AAD36E9509AFDAD,SHA256=A081CAA8EEE8339462872A5335B50ADA7C7DCC484E38AD90CC21D46D0098BA82,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055637Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:15:17.554{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3BF81E71824CE647B846235B948F98A4,SHA256=48C03BD59BD5FC6121A1920274B8D38CFD823184FC1B2A6088C736A0DC30E6E1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000285961Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:15:17.360{F81F30E6-D97A-62DF-0B00-000000006F02}6407868C:\Windows\system32\lsass.exe{F81F30E6-D978-62DF-0100-000000006F02}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+97d32|C:\Windows\system32\kerberos.DLL+7a118|C:\Windows\system32\kerberos.DLL+1454f|C:\Windows\system32\lsasrv.dll+2f5b1|C:\Windows\system32\lsasrv.dll+2d496|C:\Windows\system32\lsasrv.dll+32d29|C:\Windows\system32\lsasrv.dll+30677|C:\Windows\system32\lsasrv.dll+2f5b1|C:\Windows\system32\lsasrv.dll+176fd|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e 23542300x8000000000000000285960Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:15:17.297{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DED35C2BAF8325F635673CE73B5F144A,SHA256=D9371BAEF2036E29A75BF077D1165139CF0EF0664F454E139CA4B548D9E4230D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000285959Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:15:14.262{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local65148-false10.0.1.12-8000- 10341000x8000000000000000285958Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:15:17.244{F81F30E6-D97A-62DF-0B00-000000006F02}6407868C:\Windows\system32\lsass.exe{F81F30E6-D97C-62DF-1500-000000006F02}1228C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ee3c|C:\Windows\system32\lsasrv.dll+e76d4|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285957Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:15:17.244{F81F30E6-D97A-62DF-0B00-000000006F02}640692C:\Windows\system32\lsass.exe{F81F30E6-D97C-62DF-1500-000000006F02}1228C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ee3c|C:\Windows\system32\lsasrv.dll+e76d4|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000055636Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:15:16.265{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal51185-false10.0.1.12-8000- 23542300x800000000000000055635Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:15:17.007{53069400-D97D-62DF-1E00-000000007002}1940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=9DFD6CA70EF25EF7FEA5D55F30508262,SHA256=43302914822369D0920086B659524BB3C61C8D2AFCADBC4B997D9A3FA4CB7DAF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055638Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:15:18.648{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C193B68C1B21A477695A2957682BD06,SHA256=2B28C853FA1EA91210C7EFEA329B9BA3EBD9827AE771DC623C8C7F92EBD48FE3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285963Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:15:18.343{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=120419CA39BFB334BCF6E67D51DA96B4,SHA256=5BD8C0CD7A2C820C98689141FFA3F82F677E4ECE77ADCA5DA4A2B834EA77EAFC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285962Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:15:18.327{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8AC05C16BF664F06ADD6E79409D0C86,SHA256=20E86D2E6CEBEFF4FB89718BCCCC5834A964F9627BB539C83A499BD0C68674CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055639Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:15:19.741{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46704B2E732A3F0343083E51BF15E858,SHA256=4127E662A6525B1FB3C32C58AA96F0D067E7C59E099993279E3E2A7FAB371BFC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285970Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:15:19.358{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2AFE2EFAB86EDBCBA793B2FD9A9D753,SHA256=B84E99A6CBD9177818267B35A64CC68B9594B8B54CF94C946E572113A9005675,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000285969Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:15:16.394{F81F30E6-D978-62DF-0100-000000006F02}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:513a:aaff:ea8e:f17win-dc-ctus-attack-range-502.attackrange.local65151-truefe80:0:0:0:513a:aaff:ea8e:f17win-dc-ctus-attack-range-502.attackrange.local445microsoft-ds 354300x8000000000000000285968Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:15:16.394{F81F30E6-D978-62DF-0100-000000006F02}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:513a:aaff:ea8e:f17win-dc-ctus-attack-range-502.attackrange.local65151-truefe80:0:0:0:513a:aaff:ea8e:f17win-dc-ctus-attack-range-502.attackrange.local445microsoft-ds 354300x8000000000000000285967Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:15:16.285{F81F30E6-D97A-62DF-0B00-000000006F02}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local65150-false10.0.1.14win-dc-ctus-attack-range-502.attackrange.local389ldap 354300x8000000000000000285966Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:15:16.285{F81F30E6-D97C-62DF-1500-000000006F02}1228C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local65150-false10.0.1.14win-dc-ctus-attack-range-502.attackrange.local389ldap 354300x8000000000000000285965Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:15:16.279{F81F30E6-D97A-62DF-0B00-000000006F02}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:513a:aaff:ea8e:f17win-dc-ctus-attack-range-502.attackrange.local65149-truefe80:0:0:0:513a:aaff:ea8e:f17win-dc-ctus-attack-range-502.attackrange.local389ldap 354300x8000000000000000285964Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:15:16.279{F81F30E6-D97C-62DF-1500-000000006F02}1228C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:513a:aaff:ea8e:f17win-dc-ctus-attack-range-502.attackrange.local65149-truefe80:0:0:0:513a:aaff:ea8e:f17win-dc-ctus-attack-range-502.attackrange.local389ldap 23542300x800000000000000055640Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:15:20.835{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9633162712C386ADCA03F30C7D5E681,SHA256=A5EA1C68BD6CC4E19613F0909DB81CE83A6CD9E2B30EC5FFF48460F336F93912,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285971Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:15:20.494{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F9031FC8D1D5A3A11CE7C818619E65C,SHA256=5F08ED7E882994FC790483846D2F4F0A83B2D855FFE69B1E91B49A246871FB8A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055641Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:15:21.929{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF8FA7AD9F611621C8E2908CE9CAA63D,SHA256=567B09833ACA01BB77393AB95CFE3490108D03EB77606D6B1293C2BE61CC59BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285972Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:15:21.524{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E403DB13601AE11A631F98D62FC4E75,SHA256=539134143754F809D0211C8E3E69A9C359351E4662A20ED0A140DAE7CC884508,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285973Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:15:22.639{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E664BF48563767CC7F70BF3EDB8FBCB2,SHA256=5BE816AD6FA4B73F79224C10FBA0D49E2C7A67677D1C07CC55B1151C87E0DE21,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285975Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:15:23.771{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F63AEFEFD30E566D538F5D3156687081,SHA256=222E2B9CE245013BA1304BD09D2DB91B6E2ABE70DBB1B235FD1D0061C8BEE6A4,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000055643Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:15:22.249{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal51186-false10.0.1.12-8000- 23542300x800000000000000055642Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:15:23.023{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD21BA635D7D4BC6FAFD09FD2D88AF91,SHA256=4847207B7F2FD08D343F9EBE4D800605515493504FE30F95CFF3988E45F74935,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000285974Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:15:20.271{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local65152-false10.0.1.12-8000- 23542300x8000000000000000285976Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:15:24.907{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE181919059F2D35385A0E53D6F34DEE,SHA256=D9C3BC62094E1C047ACF6CC9CC10EFE091CA8D008DB1CB450D55BC0098007A52,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055644Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:15:24.117{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A43742F9BE55544659A593B7FC119DC9,SHA256=BD891591CED8A5D2BD020F0F491F4473CC53FF30595484339114699244E2AB24,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285977Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:15:25.952{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=101358C7185AF223CC986ED5DB7DF95F,SHA256=6DABF983B6E800AE88E9020CBA7429C828D1A28B673C39FF5A0BE06103A86533,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055645Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:15:25.210{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C405EA6B0A7A1A6ADB128A3E9BE110F5,SHA256=3D46F167D9A7F8E209BF685350E67F069C86CA6341FADA940610EF335E7F3066,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055646Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:15:26.304{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17DD04F06890365094E99F4F9A69EA72,SHA256=D5F8E8A00BBEAED4B0001F46430C413FDC29915D31E4E842A5612C6847D8341B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055647Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:15:27.398{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FCD0F189E2B375F077CFA51B12EA3DC8,SHA256=4B4CB4AAC54BD53DD5E04D41DFA31D368805BCE94C17001053D31A4BAEF1FF21,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285978Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:15:27.068{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EBF77BDEA5C8B8083A8198CE2B88FAEE,SHA256=8ECA348715B9A6B33FEB4F63042AFD11EBFC126E43836790AC8E9F27CB35C3BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055648Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:15:28.491{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07A9F11A9B953752215A0728DCA9176D,SHA256=39888F77EC2ACEB72896A9C93A8FD421BE94113EAC99E593DA02FC48F7EDB476,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000285980Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:15:26.182{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local65153-false10.0.1.12-8000- 23542300x8000000000000000285979Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:15:28.103{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=005598D56508FBC4A331631992A3DA78,SHA256=96D8C560AD6DB5A20FD8C3C378CEFAA57F3306B1FF43812C693008133E55FC7F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000055650Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:15:28.171{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal51187-false10.0.1.12-8000- 23542300x800000000000000055649Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:15:29.585{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=978EC812B78F5E734C01313F56327995,SHA256=4ECCED1BFAB6663AE66FC0826429629C91C2739E9FBDEC376A6A378543231544,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285982Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:15:29.266{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8BDA599111EACE09260CA1653C297A6A,SHA256=CF50C52B1B27D816254FAEC696E79745E224D9FD27C88DAD71A499B423A0DDCB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285981Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:15:29.233{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E1A8CEE9D097D54B8149E224518DAAA,SHA256=A1AB9BC7A51E12FF7D629AE01609C6E9703317B907C1ADEF5510F31BDFA83487,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055651Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:15:30.679{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62F74E02DED1C56BA8188918FFBB54E9,SHA256=232F923D92F9C80FCFBD745376CFFFD2827A24CC9484F1470C8F1DA0D48B9E23,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285983Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:15:30.266{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=183040CF1F871D8390577BF611D7AD94,SHA256=2104E4760F42DF4684820AA3DD2602DD087DBD7E21D207678C2307FC19D52496,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055652Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:15:31.773{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35D234792F4B9A30B961E035C8C2CD77,SHA256=917E2166319C452E5DAB4A889F2A758840E92AFE3DAAEA76CBB0C2EABFC3AB29,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285985Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:15:31.699{F81F30E6-D98A-62DF-2E00-000000006F02}2780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=03F0DFBBD6F75E35A901B720EF8E4610,SHA256=6A8D0F1E2CDF60968499A49CD616AD14ED9C7DB1BA87AFA8F00FE2CE87ECC9AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285984Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:15:31.315{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB634789DDF6A50F4ECA78178283B713,SHA256=9A6116DD29192C1037E46DF5716AB6AC1F8311C6F410873855F8D14C741D1B98,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055653Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:15:32.866{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A929000C2E3D77F7ADF0D407B297DA4,SHA256=EC909C6E2EC85CBB2D8DA980B73DD9106911CD20550F5D777034DAECAF90FAEC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000286003Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:15:32.630{F81F30E6-D98B-62DF-3600-000000006F02}31323152C:\Windows\system32\conhost.exe{F81F30E6-F704-62DF-5806-000000006F02}11896C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286002Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:15:32.630{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286001Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:15:32.630{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286000Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:15:32.630{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285999Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:15:32.630{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285998Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:15:32.630{F81F30E6-D97A-62DF-0500-000000006F02}412428C:\Windows\system32\csrss.exe{F81F30E6-F704-62DF-5806-000000006F02}11896C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000285997Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:15:32.630{F81F30E6-D98A-62DF-2E00-000000006F02}27803956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F81F30E6-F704-62DF-5806-000000006F02}11896C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000285996Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:15:32.634{F81F30E6-F704-62DF-5806-000000006F02}11896C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F81F30E6-D97A-62DF-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000285995Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:15:32.367{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08E8F0F53219BF42ED0424B49E0ACD62,SHA256=F7FC5BE5A8CA6B96182B28F88832187CA7B9A9E06A9CBDE7D4823183B1BD6AB2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000285994Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:15:32.345{F81F30E6-F704-62DF-5706-000000006F02}1174811756C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285993Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:15:32.130{F81F30E6-D98B-62DF-3600-000000006F02}31323152C:\Windows\system32\conhost.exe{F81F30E6-F704-62DF-5706-000000006F02}11748C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285992Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:15:32.130{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285991Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:15:32.130{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285990Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:15:32.130{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285989Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:15:32.130{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285988Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:15:32.130{F81F30E6-D97A-62DF-0500-000000006F02}412428C:\Windows\system32\csrss.exe{F81F30E6-F704-62DF-5706-000000006F02}11748C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000285987Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:15:32.130{F81F30E6-D98A-62DF-2E00-000000006F02}27803956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F81F30E6-F704-62DF-5706-000000006F02}11748C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000285986Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:15:32.131{F81F30E6-F704-62DF-5706-000000006F02}11748C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{F81F30E6-D97A-62DF-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000055654Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:15:33.960{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0DBFF44435F92B50B37482678C89656,SHA256=45D93ED9D210EB62F44414D730B0041498F31A2995DAC922CFEEF6AFC6D20729,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000286021Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:15:33.818{F81F30E6-F705-62DF-5A06-000000006F02}1341213416C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286020Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:15:33.618{F81F30E6-D98B-62DF-3600-000000006F02}31323152C:\Windows\system32\conhost.exe{F81F30E6-F705-62DF-5A06-000000006F02}13412C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286019Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:15:33.618{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286018Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:15:33.618{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286017Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:15:33.618{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286016Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:15:33.618{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286015Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:15:33.618{F81F30E6-D97A-62DF-0500-000000006F02}41292C:\Windows\system32\csrss.exe{F81F30E6-F705-62DF-5A06-000000006F02}13412C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000286014Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:15:33.618{F81F30E6-D98A-62DF-2E00-000000006F02}27803956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F81F30E6-F705-62DF-5A06-000000006F02}13412C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000286013Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:15:33.619{F81F30E6-F705-62DF-5A06-000000006F02}13412C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F81F30E6-D97A-62DF-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000286012Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:15:33.402{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED387CDF68C2722B25B7054CF77841BF,SHA256=8A5B441FD8D6BE247F211D8313F11078473F815C0D7F8F36CB66E4199AC90395,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000286011Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:15:33.129{F81F30E6-D98B-62DF-3600-000000006F02}31323152C:\Windows\system32\conhost.exe{F81F30E6-F705-62DF-5906-000000006F02}11984C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286010Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:15:33.129{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286009Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:15:33.129{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286008Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:15:33.129{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286007Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:15:33.129{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286006Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:15:33.129{F81F30E6-D97A-62DF-0500-000000006F02}412428C:\Windows\system32\csrss.exe{F81F30E6-F705-62DF-5906-000000006F02}11984C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000286005Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:15:33.129{F81F30E6-D98A-62DF-2E00-000000006F02}27803956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F81F30E6-F705-62DF-5906-000000006F02}11984C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000286004Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:15:33.130{F81F30E6-F705-62DF-5906-000000006F02}11984C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F81F30E6-D97A-62DF-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000286042Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:15:34.902{F81F30E6-D98B-62DF-3600-000000006F02}31323152C:\Windows\system32\conhost.exe{F81F30E6-F706-62DF-5C06-000000006F02}13544C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286041Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:15:34.902{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286040Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:15:34.902{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286039Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:15:34.902{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286038Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:15:34.902{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286037Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:15:34.902{F81F30E6-D97A-62DF-0500-000000006F02}412540C:\Windows\system32\csrss.exe{F81F30E6-F706-62DF-5C06-000000006F02}13544C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000286036Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:15:34.902{F81F30E6-D98A-62DF-2E00-000000006F02}27803956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F81F30E6-F706-62DF-5C06-000000006F02}13544C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000286035Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:15:34.903{F81F30E6-F706-62DF-5C06-000000006F02}13544C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F81F30E6-D97A-62DF-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000286034Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:15:34.902{F81F30E6-D97C-62DF-1000-000000006F02}448NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=16AA5555F66E4215F1E8A7810AAF8AA8,SHA256=3697F9A5427AC971A7A5667B93E200D3BB7B9D5F79B6A1010784ABE8FC75977D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286033Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:15:34.764{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=49F5B34F1548070FF65DCE292EE626B9,SHA256=A7F5C815B53A7895E0A0BDA4AABE9B07BA8E847C0B7CCDEA82C70EA25A464806,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000286032Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:15:34.549{F81F30E6-F706-62DF-5B06-000000006F02}489613836C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000286031Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:15:34.518{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10E31DDAAE09E9745A5C19D629CD9CA5,SHA256=1E5FDD422D5C3E742657E18FE3ABEC8D872239D7C720871594099B1891419597,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055655Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:15:34.132{53069400-D97D-62DF-1100-000000007002}980NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=8E4BB66BC55EFD5CE797BD2A095264C6,SHA256=CD8F20C4A2CE06C0BDAD23B78872541144734661710B4881A24E1B6C9C1CB900,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000286030Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:15:31.193{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local65154-false10.0.1.12-8000- 10341000x8000000000000000286029Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:15:34.302{F81F30E6-D98B-62DF-3600-000000006F02}31323152C:\Windows\system32\conhost.exe{F81F30E6-F706-62DF-5B06-000000006F02}4896C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286028Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:15:34.302{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286027Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:15:34.302{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286026Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:15:34.302{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286025Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:15:34.302{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286024Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:15:34.302{F81F30E6-D97A-62DF-0500-000000006F02}412428C:\Windows\system32\csrss.exe{F81F30E6-F706-62DF-5B06-000000006F02}4896C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000286023Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:15:34.302{F81F30E6-D98A-62DF-2E00-000000006F02}27803956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F81F30E6-F706-62DF-5B06-000000006F02}4896C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000286022Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:15:34.302{F81F30E6-F706-62DF-5B06-000000006F02}4896C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F81F30E6-D97A-62DF-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000286053Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:15:35.583{F81F30E6-D98B-62DF-3600-000000006F02}31323152C:\Windows\system32\conhost.exe{F81F30E6-F707-62DF-5D06-000000006F02}13868C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286052Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:15:35.581{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286051Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:15:35.581{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286050Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:15:35.581{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286049Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:15:35.581{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286048Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:15:35.580{F81F30E6-D97A-62DF-0500-000000006F02}41292C:\Windows\system32\csrss.exe{F81F30E6-F707-62DF-5D06-000000006F02}13868C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000286047Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:15:35.580{F81F30E6-D98A-62DF-2E00-000000006F02}27803956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F81F30E6-F707-62DF-5D06-000000006F02}13868C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000286046Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:15:35.580{F81F30E6-F707-62DF-5D06-000000006F02}13868C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F81F30E6-D97A-62DF-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000286045Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:15:35.563{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED7ADF1CED67C74A4FF857D732615A9E,SHA256=FD4289735440D480A62C76385F300E2673A7D8195567B78819CDFBA001871556,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055656Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:15:35.054{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18E4D725ACA68D338C89FA53D8DE6C44,SHA256=998C13AA8CE000D7177F018D728AF5001EBBC25901ADA6C2725DBF624C40D737,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000286044Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:15:35.133{F81F30E6-F706-62DF-5C06-000000006F02}1354413560C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286043Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:15:35.001{F81F30E6-D97C-62DF-0D00-000000006F02}9123628C:\Windows\system32\svchost.exe{F81F30E6-D97C-62DF-1500-000000006F02}1228C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000286054Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:15:36.583{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7958A8D2D06195A56049CC0F39706E2E,SHA256=A0CD8746DB41129EE23D72F4A40BF731812EF7C03F4E20AA33EF5D47253F994F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055658Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:15:36.148{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A0C040B4D92B82CE606635F3CCF9C04,SHA256=44EA1ABE16C6EF3117B89474601A50DED2E6D22C947B913ECD39FB2459128E25,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000055657Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:15:34.156{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal51188-false10.0.1.12-8000- 23542300x8000000000000000286055Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:15:37.631{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72AEE14E2F1C5074D2197F5031A07C2C,SHA256=43004C70E84E8BFE1F2A62F4D6950CD368349D9739C8FDB182CEDAD44797D8BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055659Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:15:37.241{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2514652FE811A701C7EBB9D0DD0B64D1,SHA256=1A54D38D7459A7DC230FAAAE0C05566BFA2E2B6014473BB38A9EC1D7F972BCB2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286056Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:15:38.678{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA3790DD05DA950E92650C2D190AFF8C,SHA256=0FF7BA9A663DBA04FBA2A7E76148AF2577522D969A7BFF833D2857805C39D5C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055660Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:15:38.335{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D559A56A8B5EC6789C760612F58C6429,SHA256=748F3E7A890747B3F94686580EDC1B9AE5599F1A856CCC5CE6F1B8E167CCA11E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286058Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:15:39.713{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50984139BD5B0CAC0BB907D502186C98,SHA256=36892738E5471728098A74642A209812EAAA7875F14DFC71AEE69C5DD72B587A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055661Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:15:39.429{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE6013B7890C40C67928E5D9274516E0,SHA256=F599861C3692874E21116CAEB03086808CF94154C4BE7644B499316059213890,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000286057Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:15:37.062{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local65155-false10.0.1.12-8000- 23542300x8000000000000000286059Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:15:40.859{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BACF78FFF16623E587028A5B1BBF4715,SHA256=8833C5E3AE97A083825EC168522D8DE1A13B9A4725087BAD92B674AB07C7CEC7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055662Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:15:40.523{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2B9E3F80593DFBC45DC9FD979864E13,SHA256=719C40BFD2A8FBB1E81FEF8EC444DCBEBC1AAED2ED3F0D67E494C6C3D63064D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286060Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:15:41.896{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0294337BADBE93B42FDE8D9751B8D4F0,SHA256=A80BFA80626329A4FFF71D736B99E52E71DA86D3B1537C41DA85E8C4CB7064C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055664Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:15:41.616{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8BC1FBA22A40BD1FE1161B869E9E2F21,SHA256=79BBD8F1C7CFB31856A0C05ED487CC86EAFB4BABAE1EEA617478AE2BB0D8DC0A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000055663Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:15:39.218{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal51189-false10.0.1.12-8000- 23542300x800000000000000055666Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:15:42.695{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E32B05DB688531CF630864B81293367D,SHA256=96BF6D6DB798DFB88B12B92343FFE256745916A2C44C02AE4A5B37DCC12DF19F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055665Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:15:42.479{53069400-D97D-62DF-1C00-000000007002}1896NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0923b0b66bc46ec04\channels\health\respondent-20220726120936-122MD5=F10909D358012860607A88999540BE61,SHA256=618099B8C52552D13629F748BAC7127C20F9D45615160D64360388A771E36D7B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055668Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:15:43.788{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D325B63AE629A2C5B0F090AC39FB8145,SHA256=DAAAB50FFAE13ACF9AA7C8E0E0E4C0D349AF5B38358903BCEE4A80F3AD405DC6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286061Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:15:43.011{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E22B567BD293E9B9801AF13A7127F47,SHA256=A5F892EC87C676F0ECFBD22C639064E683CB07DC49DBB36A77FA5F721817D6A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055667Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:15:43.493{53069400-D97D-62DF-1C00-000000007002}1896NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0923b0b66bc46ec04\channels\health\surveyor-20220726120934-123MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055669Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:15:44.884{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=080EDE3CB32A83EF3DAC551736A75D98,SHA256=66726D33F57E76F625FCD1132A0A7DBBAF0F24FA57ADB21391BEAE902586DA47,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000286063Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:15:42.089{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local65156-false10.0.1.12-8000- 23542300x8000000000000000286062Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:15:44.127{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D99DAE07F981245C6F0086E5B8384190,SHA256=138119F6AAF8A1D3972AE8CA38D315FEC0CC3A54CF12BFBCFCFC8BB845B6082A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055670Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:15:45.978{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E872A6EEC548570B10D51E871110CD99,SHA256=F3F2AAFCF15742099016DE409F9AF1F13DEE954CEB22620161CCCDD451DDACCF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286064Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:15:45.175{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=843DE8DE06EE31028CE1A11726D2767A,SHA256=AA2E69C180E7EF02B167BB65425309E9EFD29BAD18BF5AC92F3D6BF88B6448DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286065Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:15:46.209{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=188EE53F618EC64B06D00AD46A668BEC,SHA256=DA7A3D89C971810159704415D056068FFA05A2BAAF085357AB746CE4B5FDACAE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055672Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:15:46.306{53069400-D97D-62DF-1E00-000000007002}1940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=179B82772CA5CC0B7A1E30B10EC3DA68,SHA256=BB39CA45713EEF29F8964A50A9025571F90083A2F6169622A7CAAB4EAC5409CB,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000055671Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:15:45.142{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal51190-false10.0.1.12-8000- 23542300x8000000000000000286066Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:15:47.324{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA923A333D4B1C176E0D6C2EEAC13A3C,SHA256=2C8C99A98B4276910DE9B1B26F6C6A93380B9BED8E90ED9804FE0D25309B1E3C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055674Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:15:47.134{53069400-D97D-62DF-1E00-000000007002}1940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=9EB349C164C8280E48AFF4230BF1A897,SHA256=8B476DEAA5A5DF6E34CBA8578DC6F7EFA679FFDCE3BB43960F190E61C896AE7B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055673Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:15:47.071{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F21CAF1B2855A4FB7636695B574ECCA0,SHA256=E7F9D6C3F40EBB21BB69748C5340E9ED2658CE31EAABB722E005297A0354A8E2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000286071Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:15:45.570{F81F30E6-D98A-62DF-2D00-000000006F02}2676C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local63715- 354300x8000000000000000286070Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:15:45.569{F81F30E6-D98A-62DF-2D00-000000006F02}2676C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local54314- 354300x8000000000000000286069Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:15:45.568{F81F30E6-D98A-62DF-2D00-000000006F02}2676C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local58930- 354300x8000000000000000286068Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:15:45.565{F81F30E6-D98A-62DF-2D00-000000006F02}2676C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local62479- 23542300x8000000000000000286067Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:15:48.355{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73775381C437F87240BC060961C260B2,SHA256=126981B286B223B6FF56DC6DE5593CD32F6E58FC0F0D896D927F48594F776C30,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000055676Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:15:46.361{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal51191-false10.0.1.12-8089- 23542300x800000000000000055675Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:15:48.165{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4D60995792314ECC5AE6252C71B3A61,SHA256=F0449C6ECF06BBD29C8F80C56AA0D09F0728E7E4C159B4EDD1C04F6A2209C1A7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000286075Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:15:47.302{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local65158-false10.0.1.12-8000- 354300x8000000000000000286074Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:15:45.582{F81F30E6-DAB4-62DF-BF00-000000006F02}2464C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local65157-false34.120.208.123123.208.120.34.bc.googleusercontent.com443https 23542300x8000000000000000286073Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:15:49.391{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60E01E657C04859EF82A001738F3E5C7,SHA256=9EC851123A4F5177B5C93DCE5B8373550F9EA303CD47F1F85F419F5316C528C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055677Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:15:49.259{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FEB688E5E2607B386DFF70F244E6BCFC,SHA256=62FCC37B8F194E394C7C4480926DAAA5461D42E7435C131756EAE7586E709A73,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286072Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:15:49.291{F81F30E6-D98A-62DF-2E00-000000006F02}2780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=375770933B088FA1013E9C17F7ACFA9C,SHA256=12DC730ED0C3CEF15E2072F184E79ED116E6C7FEA32581084F03B1ADA228E22B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286076Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:15:50.437{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F5FA66E780808388FFC9F92D8F05A62,SHA256=30267124B869AB9585308411C6A7E8D01B48024A80F2415FA26DCB57E412E0EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055678Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:15:50.353{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D548A204FB1E65DD9380556BBBA24974,SHA256=BEBB81179E681C78179748F4997BB54D5DBDE447735EC5E05E2ED333E23506D5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000286088Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:15:51.921{F81F30E6-D97A-62DF-0B00-000000006F02}6407868C:\Windows\system32\lsass.exe{F81F30E6-D98A-62DF-2A00-000000006F02}2640C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ee3c|C:\Windows\system32\lsasrv.dll+e76d4|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286087Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:15:51.921{F81F30E6-D97A-62DF-0B00-000000006F02}6407868C:\Windows\system32\lsass.exe{F81F30E6-D98A-62DF-2A00-000000006F02}2640C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ee3c|C:\Windows\system32\lsasrv.dll+e76d4|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286086Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:15:51.921{F81F30E6-D97A-62DF-0B00-000000006F02}6407868C:\Windows\system32\lsass.exe{F81F30E6-D98A-62DF-2A00-000000006F02}2640C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ee3c|C:\Windows\system32\lsasrv.dll+e76d4|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000286085Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:15:48.301{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local65159-false10.0.1.12-8089- 23542300x8000000000000000286084Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:15:51.472{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47A5B2C16014E8F5ADF5C884E92F2003,SHA256=801D60F8D760E55DA882F45044DB9F50E2C2BC3B576A3853AB75F1E365169F63,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055680Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:15:51.446{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE5BF59C1B2446D4C66D2A866E8A1CDD,SHA256=4BCAB8BA5DF9A33DE963AD63226E56329225714572C640CF4F1649DB0B753574,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000286083Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:15:51.274{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286082Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:15:51.274{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000286081Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-SetValue2022-07-26 14:15:51.075{F81F30E6-D98A-62DF-2A00-000000006F02}2640C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\AA1F4EAC-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_AA1F4EAC-0000-0000-0000-100000000000.XML 13241300x8000000000000000286080Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-SetValue2022-07-26 14:15:51.075{F81F30E6-D98A-62DF-2A00-000000006F02}2640C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\EDB59A4A-4A6E-4084-9A54-2EC7F36D7D11\Config SourceDWORD (0x00000001) 13241300x8000000000000000286079Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-SetValue2022-07-26 14:15:51.075{F81F30E6-D98A-62DF-2A00-000000006F02}2640C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\EDB59A4A-4A6E-4084-9A54-2EC7F36D7D11\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_EDB59A4A-4A6E-4084-9A54-2EC7F36D7D11.XML 10341000x8000000000000000286078Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:15:51.071{F81F30E6-D97A-62DF-0B00-000000006F02}640692C:\Windows\system32\lsass.exe{F81F30E6-D98A-62DF-2A00-000000006F02}2640C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ee3c|C:\Windows\system32\lsasrv.dll+e76d4|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286077Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:15:51.070{F81F30E6-D97A-62DF-0B00-000000006F02}640692C:\Windows\system32\lsass.exe{F81F30E6-D98A-62DF-2A00-000000006F02}2640C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ee3c|C:\Windows\system32\lsasrv.dll+e76d4|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000055679Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:15:50.157{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal51192-false10.0.1.12-8000- 23542300x800000000000000055681Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:15:52.540{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9BF9C6B243E490B23D0AE8E610037A9,SHA256=3440726AF7916B4DC651FE7A4EA54F88E07DC904CBFFF3BEE5537C70F914CF35,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000286098Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:15:52.935{F81F30E6-D97A-62DF-0B00-000000006F02}640844C:\Windows\system32\lsass.exe{F81F30E6-D98A-62DF-2A00-000000006F02}2640C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ee3c|C:\Windows\system32\lsasrv.dll+e76d4|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286097Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:15:52.935{F81F30E6-D97A-62DF-0B00-000000006F02}640844C:\Windows\system32\lsass.exe{F81F30E6-D98A-62DF-2A00-000000006F02}2640C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ee3c|C:\Windows\system32\lsasrv.dll+e76d4|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000286096Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:15:50.124{F81F30E6-D98A-62DF-2D00-000000006F02}2676C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local58727- 354300x8000000000000000286095Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:15:50.124{F81F30E6-D98A-62DF-2D00-000000006F02}2676C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local64074- 354300x8000000000000000286094Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:15:50.103{F81F30E6-D97C-62DF-0D00-000000006F02}912C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:513a:aaff:ea8e:f17win-dc-ctus-attack-range-502.attackrange.local65160-truefe80:0:0:0:513a:aaff:ea8e:f17win-dc-ctus-attack-range-502.attackrange.local135epmap 354300x8000000000000000286093Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:15:50.103{F81F30E6-D98A-62DF-2A00-000000006F02}2640C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:513a:aaff:ea8e:f17win-dc-ctus-attack-range-502.attackrange.local65160-truefe80:0:0:0:513a:aaff:ea8e:f17win-dc-ctus-attack-range-502.attackrange.local135epmap 10341000x8000000000000000286092Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:15:52.751{F81F30E6-D97A-62DF-0B00-000000006F02}640692C:\Windows\system32\lsass.exe{F81F30E6-D98A-62DF-2A00-000000006F02}2640C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ee3c|C:\Windows\system32\lsasrv.dll+e76d4|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286091Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:15:52.751{F81F30E6-D97A-62DF-0B00-000000006F02}640692C:\Windows\system32\lsass.exe{F81F30E6-D98A-62DF-2A00-000000006F02}2640C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ee3c|C:\Windows\system32\lsasrv.dll+e76d4|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286090Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:15:52.751{F81F30E6-D97A-62DF-0B00-000000006F02}640692C:\Windows\system32\lsass.exe{F81F30E6-D98A-62DF-2A00-000000006F02}2640C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ee3c|C:\Windows\system32\lsasrv.dll+e76d4|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000286089Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:15:52.636{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC568AD05BA0E349CA8D161EF4B43262,SHA256=640E42136F9536F393A176F29ED30CEFEEFC5EA9550E02D0590217D6487384CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055682Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:15:53.634{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=784E9BFCBE45EF006D7518C2836ED20D,SHA256=5F5E18F55B8C7B8883A9A12BA9E4B41619D976FD117D17A8F7A2C7A43B48DE87,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000286106Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:15:51.783{F81F30E6-D97A-62DF-0B00-000000006F02}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local65162-false10.0.1.14win-dc-ctus-attack-range-502.attackrange.local389ldap 354300x8000000000000000286105Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:15:51.783{F81F30E6-D98A-62DF-2A00-000000006F02}2640C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local65162-false10.0.1.14win-dc-ctus-attack-range-502.attackrange.local389ldap 354300x8000000000000000286104Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:15:50.962{F81F30E6-D98A-62DF-2D00-000000006F02}2676C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local55404- 354300x8000000000000000286103Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:15:50.962{F81F30E6-D98A-62DF-2D00-000000006F02}2676C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local59151- 354300x8000000000000000286102Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:15:50.953{F81F30E6-D97A-62DF-0B00-000000006F02}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local65161-false10.0.1.14win-dc-ctus-attack-range-502.attackrange.local389ldap 354300x8000000000000000286101Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:15:50.953{F81F30E6-D98A-62DF-2A00-000000006F02}2640C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local65161-false10.0.1.14win-dc-ctus-attack-range-502.attackrange.local389ldap 23542300x8000000000000000286100Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:15:53.670{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C28D16F20C37F4C3BBEE9917A2AB2E0,SHA256=0378E00523430844168C5C1588E119DCE434D0618223F87A903B37BA2F81C61F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286099Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:15:53.020{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E41433C88D50F4A6063EEE23DDC4A46E,SHA256=25A1A1FE34056FFD5BFB5D01ABC1D7D2A44FD17DE1BE2C4CDA477B506C273F21,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055683Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:15:54.728{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF63C21F7B7003BB9CACA72F490D52A9,SHA256=2C5C9DE78C9E30CAB2DA6363F1E257A7B417C10BCA9027538ADB2FB28F37ED04,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286107Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:15:54.718{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=847E60D23BE361822C8D077111ECBE80,SHA256=A65029A3A019508CD695A7FEE0D489B40F529E18C8325A35AB9BE0CED88AAE8E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055684Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:15:55.821{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54993C8A0440E4A0417E61907C449048,SHA256=BA081F7562C0913415158449B9E419FE0EA15AFF994B97C261DEA6F5C5C05178,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000286110Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:15:53.151{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local65163-false10.0.1.12-8000- 23542300x8000000000000000286109Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:15:55.848{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C28783348AE51460F28FEE575EA0DAA,SHA256=F48D3EFC8035351F5A0F99DC97721C1CDD02E257B15F726F2719AD16F96AA6E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286108Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:15:55.286{F81F30E6-DAB4-62DF-BF00-000000006F02}2464ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\e57grxtg.default-release\datareporting\glean\db\data.safe.binMD5=40896AD22093AAEE172FE1C3CD158C99,SHA256=42AEF94CA94A5F5E0CAD6F2CF7E1D1EB5EF59184441126ABC2DECB9D8B159E0D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055686Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:15:56.915{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C61716005329A318421E1BE83E8EAC60,SHA256=34EBE256EC0989B4B45143ED1C91D9634F5226AEE70BDC427987EA7DF2F1660C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286115Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:15:56.990{F81F30E6-D98A-62DF-2900-000000006F02}2592NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f0cc84e036a5373b\channels\health\respondent-20220726120948-122MD5=369DD308E953FB115558C25A87FA7436,SHA256=F8D888C61BEF90997E9DA9024DED7AC04FA2757575784335A529296D09245F18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286114Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:15:56.885{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D5C9F31E29CD0AFDE5055570B716C1E,SHA256=B0D9CA911369B2B451B96EAC8D49CE69C2F297EEFD6A345C53643C8A98F2DCDD,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000055685Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:15:55.158{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal51193-false10.0.1.12-8000- 10341000x8000000000000000286113Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:15:56.487{F81F30E6-D9BD-62DF-9000-000000006F02}46884812C:\Windows\Explorer.EXE{F81F30E6-DAB4-62DF-BF00-000000006F02}2464C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+cf100|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9824|UNKNOWN(FFFFF80163E5BCD8)|UNKNOWN(FFFFF2A666167E08)|UNKNOWN(FFFFF2A666167F87)|UNKNOWN(FFFFF2A666162611)|UNKNOWN(FFFFF2A666163FDA)|UNKNOWN(FFFFF2A666162296)|UNKNOWN(FFFFF80163B71503)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+d296b|C:\Windows\System32\SHELL32.dll+11971a|C:\Windows\System32\SHCORE.dll+33fbd 10341000x8000000000000000286112Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:15:56.487{F81F30E6-D9BD-62DF-9000-000000006F02}46884812C:\Windows\Explorer.EXE{F81F30E6-DAB4-62DF-BF00-000000006F02}2464C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0f5|C:\Windows\System32\SHELL32.dll+cebe1|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9824|UNKNOWN(FFFFF80163E5BCD8)|UNKNOWN(FFFFF2A666167E08)|UNKNOWN(FFFFF2A666167F87)|UNKNOWN(FFFFF2A666162611)|UNKNOWN(FFFFF2A666163FDA)|UNKNOWN(FFFFF2A666162296)|UNKNOWN(FFFFF80163B71503)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+d296b|C:\Windows\System32\SHELL32.dll+11971a|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000286111Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:15:56.487{F81F30E6-DAB4-62DF-BF00-000000006F02}2464ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RF73c98a.TMPMD5=916C2D93B58C5CBAC8AC3098A059BFC5,SHA256=55953AB8F4BC753693EBC3ACF5A7C00D704055829032829763C3617710DD9C9E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286119Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:15:57.989{F81F30E6-D98A-62DF-2900-000000006F02}2592NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f0cc84e036a5373b\channels\health\surveyor-20220726120946-123MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286118Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:15:57.978{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D343FE2B0D51AA8A67ECEE6AE8EDB61,SHA256=2129363A4EED1A2E1EB3717BBC04C332E9733356DFB290ECC28ED6B8E26FEBA3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000286117Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:15:57.447{F81F30E6-D97C-62DF-0D00-000000006F02}9123628C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2C00-000000006F02}2668C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286116Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:15:57.447{F81F30E6-D97C-62DF-0D00-000000006F02}9123628C:\Windows\system32\svchost.exe{F81F30E6-DAB4-62DF-BF00-000000006F02}2464C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000286128Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:15:58.990{F81F30E6-DAB4-62DF-BF00-000000006F02}2464ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\e57grxtg.default-release\safebrowsing-updating\google4\goog-malware-proto.metadataMD5=1AE0F621886F5E2ACBA0AA6B93EC8515,SHA256=E944516E1B02D171B5161DBA7017F09746E0DE9D458B50F0AF1ACDBEC1002177,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055687Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:15:58.009{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E49F65A68001760F42DE2D3B144B01D0,SHA256=6CD80BC0E05790B214F2F02F705794CB3D5CC87FA9A3F4B97038D99F7820B74C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286127Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:15:58.974{F81F30E6-DAB4-62DF-BF00-000000006F02}2464ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\e57grxtg.default-release\safebrowsing-updating\google4\goog-malware-proto-1.vlpsetMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286126Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:15:58.959{F81F30E6-DAB4-62DF-BF00-000000006F02}2464ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\e57grxtg.default-release\safebrowsing-updating\google4\goog-phish-proto.metadataMD5=5D6159053FA59604C41934466A9867CD,SHA256=6036EAB588F3765B7A17A72C6A2767AD6401EA8A265279A2167FEB5368EE4CF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286125Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:15:58.900{F81F30E6-DAB4-62DF-BF00-000000006F02}2464ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\e57grxtg.default-release\safebrowsing-updating\google4\goog-phish-proto-1.vlpsetMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000286124Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:15:56.093{F81F30E6-DAB4-62DF-BF00-000000006F02}2464C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local65164-false142.250.190.74ord37s34-in-f10.1e100.net443https 354300x8000000000000000286123Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:15:56.075{F81F30E6-D98A-62DF-2D00-000000006F02}2676C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local58650- 354300x8000000000000000286122Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:15:56.075{F81F30E6-D98A-62DF-2D00-000000006F02}2676C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local60694- 354300x8000000000000000286121Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:15:56.074{F81F30E6-D98A-62DF-2D00-000000006F02}2676C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local65026- 354300x8000000000000000286120Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:15:56.072{F81F30E6-D98A-62DF-2D00-000000006F02}2676C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local59786- 23542300x800000000000000055688Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:15:59.103{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1F2E31BC883D036D21574DAFE417CA4,SHA256=3912D3F95E092FA13B3147BDD6FA3A80F7E9A0EC48FE8B174211A46E97200327,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286180Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:15:59.836{F81F30E6-DAB4-62DF-BF00-000000006F02}2464ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\e57grxtg.default-release\prefs-1.jsMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286179Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:15:59.321{F81F30E6-DAB4-62DF-BF00-000000006F02}2464ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\e57grxtg.default-release\safebrowsing-updating\social-tracking-protection-twitter-digest256.vlpsetMD5=B50CF628E0082A7840D84D0CBE1CAD48,SHA256=544DF79BCEF9DC8E082021E342C2A1B12CD0B8BDAF3687E0F23785406EDF33AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286178Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:15:59.321{F81F30E6-DAB4-62DF-BF00-000000006F02}2464ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\e57grxtg.default-release\safebrowsing-updating\social-tracking-protection-twitter-digest256.sbstoreMD5=F130C472E963FF3CEED251C65964B927,SHA256=E5D2A5BBE8AA43751EF7F7BC3A817A0963D56272A4C9B6055E60929606186CE2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286177Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:15:59.321{F81F30E6-DAB4-62DF-BF00-000000006F02}2464ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\e57grxtg.default-release\safebrowsing-updating\social-tracking-protection-linkedin-digest256.vlpsetMD5=5F93E0F827909390D257EBB27C77F392,SHA256=5BCB684F3EE3B2EC2F4945655FBEF281C487399D6BF90451647DB1761715D4C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286176Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:15:59.321{F81F30E6-DAB4-62DF-BF00-000000006F02}2464ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\e57grxtg.default-release\safebrowsing-updating\social-tracking-protection-linkedin-digest256.sbstoreMD5=9275B832091D9E3BFE50898A3BE022B5,SHA256=38C52A5435B625083000A054489B95E033F7B352377510DF668CEE749DE5803E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286175Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:15:59.321{F81F30E6-DAB4-62DF-BF00-000000006F02}2464ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\e57grxtg.default-release\safebrowsing-updating\social-tracking-protection-facebook-digest256.vlpsetMD5=8AC8A05028631170937EDA4CF0E0A35A,SHA256=456AB2C0E4E117D62DC529362EB22C725D410098868442729ADE5E4FF0822E78,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286174Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:15:59.321{F81F30E6-DAB4-62DF-BF00-000000006F02}2464ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\e57grxtg.default-release\safebrowsing-updating\social-tracking-protection-facebook-digest256.sbstoreMD5=7BBA9B83F0F213C5A723209D4C9962CE,SHA256=E1B8E7DEB0F34EEB6BF4D10E47E734A1FE829C365DF360B98646D7E11F2DD4C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286173Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:15:59.321{F81F30E6-DAB4-62DF-BF00-000000006F02}2464ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\e57grxtg.default-release\safebrowsing-updating\social-track-digest256.vlpsetMD5=16BF2AA546411BA25DC80EA288D47143,SHA256=524EC56C023155C7BE4C84D5AEC4FE2D85DFBAB3C2FA27F82BCD35028D546F83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286172Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:15:59.321{F81F30E6-DAB4-62DF-BF00-000000006F02}2464ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\e57grxtg.default-release\safebrowsing-updating\social-track-digest256.sbstoreMD5=69EE5B232870704AFCC0E8957AA42A0F,SHA256=EC8DF5279022B68C0B542EC1688889374754106DFADBF7CAF8337E3F98865941,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286171Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:15:59.321{F81F30E6-DAB4-62DF-BF00-000000006F02}2464ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\e57grxtg.default-release\safebrowsing-updating\mozstd-trackwhite-digest256.vlpsetMD5=05D14AB4EA3E0B7E122DA4E242658D52,SHA256=E463EEB72D4ECC0F09DA92A8D9EFF1589B1FCEB36F7AD9DA5E99FA68B6A246C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286170Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:15:59.305{F81F30E6-DAB4-62DF-BF00-000000006F02}2464ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\e57grxtg.default-release\safebrowsing-updating\mozstd-trackwhite-digest256.sbstoreMD5=4A0E23779B2EF3BF053D1FC5AE075785,SHA256=85A2E01C1AFA0E74E5DA598D962BEE6D964C0B23E3E42E4035DE02E00D7AF380,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286169Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:15:59.305{F81F30E6-DAB4-62DF-BF00-000000006F02}2464ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\e57grxtg.default-release\safebrowsing-updating\mozplugin-block-digest256.vlpsetMD5=FCC9C2C9B611A3264B68EBE180EB4248,SHA256=6ECD378A537EEFE350B45CFA353741383F407D99D776BF23155A7825DC5DD2BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286168Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:15:59.305{F81F30E6-DAB4-62DF-BF00-000000006F02}2464ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\e57grxtg.default-release\safebrowsing-updating\mozplugin-block-digest256.sbstoreMD5=519BEB1B01FC355BB388F1F75BE997FD,SHA256=FFE2D3077B81AE6F51B220C1C661B276C823FA67DAD1D64FC5F17249FC54BDC0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286167Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:15:59.305{F81F30E6-DAB4-62DF-BF00-000000006F02}2464ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\e57grxtg.default-release\safebrowsing-updating\google4\goog-unwanted-proto.vlpsetMD5=3597C0286EC97E41E47EB92A51A0BFAF,SHA256=327C2DF5D6D3B1A91E3C97B1738397DD03EF592181E5B93D4BC02B5B1595EBF8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286166Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:15:59.305{F81F30E6-DAB4-62DF-BF00-000000006F02}2464ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\e57grxtg.default-release\safebrowsing-updating\google4\goog-unwanted-proto.metadataMD5=3D442506A92988B756C1AE5570388490,SHA256=8870FEA98BE495789052C9CF129241CAB02458D827B9952D746235843AF911F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286165Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:15:59.305{F81F30E6-DAB4-62DF-BF00-000000006F02}2464ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\e57grxtg.default-release\safebrowsing-updating\google4\goog-phish-proto.vlpsetMD5=2CE2AA3C7651DE8464AF6E27FD202AE6,SHA256=DDBB913734FC587A08F2E4A28A3C8A79681031B31C1328429D261BB4FBB72C7C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286164Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:15:59.205{F81F30E6-DAB4-62DF-BF00-000000006F02}2464ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\e57grxtg.default-release\safebrowsing-updating\google4\goog-phish-proto.metadataMD5=5D6159053FA59604C41934466A9867CD,SHA256=6036EAB588F3765B7A17A72C6A2767AD6401EA8A265279A2167FEB5368EE4CF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286163Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:15:59.205{F81F30E6-DAB4-62DF-BF00-000000006F02}2464ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\e57grxtg.default-release\safebrowsing-updating\google4\goog-malware-proto.vlpsetMD5=C5DEB80EB980141EC1CB64917DDB8E36,SHA256=2E7F307AA08B12D80C7C5DCEBC31CC995C4D47A6D53B43FD60C4D701F974D68A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286162Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:15:59.205{F81F30E6-DAB4-62DF-BF00-000000006F02}2464ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\e57grxtg.default-release\safebrowsing-updating\google4\goog-malware-proto.metadataMD5=1AE0F621886F5E2ACBA0AA6B93EC8515,SHA256=E944516E1B02D171B5161DBA7017F09746E0DE9D458B50F0AF1ACDBEC1002177,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286161Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:15:59.205{F81F30E6-DAB4-62DF-BF00-000000006F02}2464ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\e57grxtg.default-release\safebrowsing-updating\google4\goog-downloadwhite-proto.vlpsetMD5=B0272F5CF9F56F11C856155DC5F40BE1,SHA256=74AB81A1929A8806D559A13140947F076CABA52BF882364C416EF4D8E9B155F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286160Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:15:59.205{F81F30E6-DAB4-62DF-BF00-000000006F02}2464ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\e57grxtg.default-release\safebrowsing-updating\google4\goog-downloadwhite-proto.metadataMD5=DC9245D6D484A46FA84FBE48495E0318,SHA256=78946009983F7F6E7AA7F88598CE77A853313DEEA0C8F17895ADBB39A406E96E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286159Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:15:59.205{F81F30E6-DAB4-62DF-BF00-000000006F02}2464ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\e57grxtg.default-release\safebrowsing-updating\google4\goog-badbinurl-proto.vlpsetMD5=01E830365F5DF26F93966FD5E8D52BF9,SHA256=4E05D7701B0E6738C8E2A161A57505A142E8286AEC0D25C0D8E08252CB3FCE26,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286158Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:15:59.190{F81F30E6-DAB4-62DF-BF00-000000006F02}2464ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\e57grxtg.default-release\safebrowsing-updating\google4\goog-badbinurl-proto.metadataMD5=C5D2510EE8AA53E5724815004442683F,SHA256=19A2450ED014E9E7A3A1BD4127A9E3980FCA60AD68F809BC9EF4FA6DE4AA1153,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286157Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:15:59.190{F81F30E6-DAB4-62DF-BF00-000000006F02}2464ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\e57grxtg.default-release\safebrowsing-updating\google-trackwhite-digest256.vlpsetMD5=E54E5B84194EEE15E64D2A03F1136BB7,SHA256=07707B589BE3DBA3BB0BDAC67760A2B180EA3531E9D7976B73E4C1D8DF9DBB1E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286156Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:15:59.174{F81F30E6-DAB4-62DF-BF00-000000006F02}2464ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\e57grxtg.default-release\safebrowsing-updating\google-trackwhite-digest256.sbstoreMD5=FEC9BC354A7EE92C6FEEFE63E6B0FA26,SHA256=258EF8E6994A09FFB54BD0D5AFEC97C13C31F2EEFB7FE90A2A4C487C87817519,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286155Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:15:59.174{F81F30E6-DAB4-62DF-BF00-000000006F02}2464ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\e57grxtg.default-release\safebrowsing-updating\except-flashsubdoc-digest256.vlpsetMD5=0C0D67875BD75A0227C02DD8529BA01A,SHA256=614BE0169EC36E67223EB9645A98DA66DBFDE5DFBB89BB064F428AAEABDD9D97,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286154Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:15:59.174{F81F30E6-DAB4-62DF-BF00-000000006F02}2464ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\e57grxtg.default-release\safebrowsing-updating\except-flashsubdoc-digest256.sbstoreMD5=22698B4CF784DBBAE2D583F00491D43D,SHA256=3849563088AE0677D61702A1310FDE26DE5DDD846D53037222D3EFE012197BF5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286153Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:15:59.174{F81F30E6-DAB4-62DF-BF00-000000006F02}2464ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\e57grxtg.default-release\safebrowsing-updating\except-flashallow-digest256.vlpsetMD5=7194B6BFF691A056852A51E2E06CE8FE,SHA256=CBE2DC6ABFE25BEAD60F4DFAF419FC0F441FF8A8DD4A2FEBF5553BE1CBD90C49,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286152Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:15:59.174{F81F30E6-DAB4-62DF-BF00-000000006F02}2464ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\e57grxtg.default-release\safebrowsing-updating\except-flashallow-digest256.sbstoreMD5=DD0458514C9A922B45DA6A8BEBE47320,SHA256=D27D5B27030F4725249377951BEB89E84A90A0E8241F0D5FD80EA59C1606E761,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286151Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:15:59.174{F81F30E6-DAB4-62DF-BF00-000000006F02}2464ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\e57grxtg.default-release\safebrowsing-updating\except-flash-digest256.vlpsetMD5=C2994D388F8780C87D35C352D9582985,SHA256=7ED09F7D2BD632F70077A4AE4F2BD2F3FB654B03CD72652F51678B0C7D027F25,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286150Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:15:59.174{F81F30E6-DAB4-62DF-BF00-000000006F02}2464ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\e57grxtg.default-release\safebrowsing-updating\except-flash-digest256.sbstoreMD5=D5D6B4D59B4AE4E2DE4B40D0DA083571,SHA256=000E3A78C72A210CA3B5417A3CDD294FBCE2A31661601C9D594C75CF2800571C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286149Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:15:59.174{F81F30E6-DAB4-62DF-BF00-000000006F02}2464ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\e57grxtg.default-release\safebrowsing-updating\content-track-digest256.vlpsetMD5=07FF16BA9846838DA27AE094A1B91369,SHA256=DC83AE90504AC11C29876CFC48483976397E899958EE8EDE7F381971A2C2C4B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286148Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:15:59.174{F81F30E6-DAB4-62DF-BF00-000000006F02}2464ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\e57grxtg.default-release\safebrowsing-updating\content-track-digest256.sbstoreMD5=1B9A162CEB3C7BE8393CE348F35A4564,SHA256=2D6B6351BD1B8C2047DA1854D0033EE6C5CD9F1BFE38C5E1A2B82C86AFE8A598,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286147Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:15:59.174{F81F30E6-DAB4-62DF-BF00-000000006F02}2464ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\e57grxtg.default-release\safebrowsing-updating\block-flashsubdoc-digest256.vlpsetMD5=40165280FF1345B5241EC2A9D1DA2AF0,SHA256=F80BDD5341D8B1EE946E344E258EF2D35C3C0BB6B13EB7B3E6A77467DFA8B97F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286146Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:15:59.174{F81F30E6-DAB4-62DF-BF00-000000006F02}2464ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\e57grxtg.default-release\safebrowsing-updating\block-flashsubdoc-digest256.sbstoreMD5=B9556D03AFF392142AD5691D2F867310,SHA256=CFD3909B41C1EE3CBCB8B7D2B1378065E7D3B543FFF1F2FB7A4F25C5FF41722C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286145Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:15:59.174{F81F30E6-DAB4-62DF-BF00-000000006F02}2464ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\e57grxtg.default-release\safebrowsing-updating\block-flash-digest256.vlpsetMD5=130B9AC2BEEC5ADA274561105D81AE36,SHA256=7D99FEC08182A5B95D18D1569EDAA2C60C2AAFBD15A56D8882F22F3B395E6460,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286144Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:15:59.174{F81F30E6-DAB4-62DF-BF00-000000006F02}2464ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\e57grxtg.default-release\safebrowsing-updating\block-flash-digest256.sbstoreMD5=9F6B331AA1E070DCFEED473E76CE56C3,SHA256=7DBBEA2DD387EEB85E1F56E02FC9989ACDE570CD43BFEF2C2A827093BA87DA6D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286143Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:15:59.158{F81F30E6-DAB4-62DF-BF00-000000006F02}2464ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\e57grxtg.default-release\safebrowsing-updating\base-fingerprinting-track-digest256.vlpsetMD5=1E6F9A9CE733F12DB3C5A33152E40BF3,SHA256=A42D9F1CC302A50BF677DB9A83463C67F93769062179A91B1EFE5AE32BBA5971,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286142Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:15:59.158{F81F30E6-DAB4-62DF-BF00-000000006F02}2464ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\e57grxtg.default-release\safebrowsing-updating\base-fingerprinting-track-digest256.sbstoreMD5=5611BC5AA5AF6C03CA902FD10445566F,SHA256=9C26BAA83520D82D32C3C228876DE66A4F01380E3A118C004D21D02E44D77FC4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286141Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:15:59.158{F81F30E6-DAB4-62DF-BF00-000000006F02}2464ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\e57grxtg.default-release\safebrowsing-updating\base-cryptomining-track-digest256.vlpsetMD5=82E921320B62879B070EBE9D8F1F4256,SHA256=A781BFF04964067CB06EA80DA605A4A2837F7256580693C6DBDCA971D8C9BDB0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286140Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:15:59.158{F81F30E6-DAB4-62DF-BF00-000000006F02}2464ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\e57grxtg.default-release\safebrowsing-updating\base-cryptomining-track-digest256.sbstoreMD5=BB9BB51CB484CC5719D210D53CF37762,SHA256=1903A36C25AEB3C61953484ED931ED52AB4A3BD13FCC38046154A6681472D499,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286139Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:15:59.158{F81F30E6-DAB4-62DF-BF00-000000006F02}2464ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\e57grxtg.default-release\safebrowsing-updating\analytics-track-digest256.vlpsetMD5=376E0D6AAFA0616512F2120F4A0E60F3,SHA256=43083306A6D11ED85D1CBE7589086E8FDFFE62125B7298863A68CB94981A2066,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286138Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:15:59.158{F81F30E6-DAB4-62DF-BF00-000000006F02}2464ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\e57grxtg.default-release\safebrowsing-updating\analytics-track-digest256.sbstoreMD5=1D1C018655A24164E2D256F2A28527FB,SHA256=6FBBAC00B713F8FC6FD722B14357424F34CF9658E2219FB5BE533632B4817782,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286137Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:15:59.158{F81F30E6-DAB4-62DF-BF00-000000006F02}2464ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\e57grxtg.default-release\safebrowsing-updating\allow-flashallow-digest256.vlpsetMD5=DE0D88480C24350C59E1E9A3583DE0D1,SHA256=01BA9F0B913E04ED10BD7166796483DD4F72005F249D6EE68B12117BE4B5D3C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286136Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:15:59.158{F81F30E6-DAB4-62DF-BF00-000000006F02}2464ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\e57grxtg.default-release\safebrowsing-updating\allow-flashallow-digest256.sbstoreMD5=DD0458514C9A922B45DA6A8BEBE47320,SHA256=D27D5B27030F4725249377951BEB89E84A90A0E8241F0D5FD80EA59C1606E761,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286135Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:15:59.158{F81F30E6-DAB4-62DF-BF00-000000006F02}2464ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\e57grxtg.default-release\safebrowsing-updating\ads-track-digest256.vlpsetMD5=D8FE4433DB85E0F1538AAED2732E7DCA,SHA256=65845169B6BD41B444C0F30377EB61F2BCBF6198006DD4573C2AE33E045E67AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286134Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:15:59.158{F81F30E6-DAB4-62DF-BF00-000000006F02}2464ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\e57grxtg.default-release\safebrowsing-updating\ads-track-digest256.sbstoreMD5=BA9B92B38EB359A773B4A98158ED73E4,SHA256=4C9EB7E009CE6C9AC621BD92793E659153FED9B61A6DB475137D9E24753C7313,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286133Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:15:59.121{F81F30E6-DAB4-62DF-BF00-000000006F02}2464ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\e57grxtg.default-release\safebrowsing-updating\google4\goog-badbinurl-proto.metadataMD5=C5D2510EE8AA53E5724815004442683F,SHA256=19A2450ED014E9E7A3A1BD4127A9E3980FCA60AD68F809BC9EF4FA6DE4AA1153,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286132Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:15:59.121{F81F30E6-DAB4-62DF-BF00-000000006F02}2464ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\e57grxtg.default-release\safebrowsing-updating\google4\goog-badbinurl-proto-1.vlpsetMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286131Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:15:59.037{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80AE58425FF1E0486E6412D812198904,SHA256=2F90DF5D09142197B78C7ED01D044ADB11D2920D08C8922E9D30CE5F2B8A2F53,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286130Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:15:59.006{F81F30E6-DAB4-62DF-BF00-000000006F02}2464ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\e57grxtg.default-release\safebrowsing-updating\google4\goog-unwanted-proto.metadataMD5=3D442506A92988B756C1AE5570388490,SHA256=8870FEA98BE495789052C9CF129241CAB02458D827B9952D746235843AF911F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286129Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:15:59.006{F81F30E6-DAB4-62DF-BF00-000000006F02}2464ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\e57grxtg.default-release\safebrowsing-updating\google4\goog-unwanted-proto-1.vlpsetMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286182Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:00.919{F81F30E6-D98A-62DF-2E00-000000006F02}2780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=28254CE80C4E6958F750F71B383CFE64,SHA256=709FF92B490B0CBE3E8AFB9882E57B4756107BFF9B1660242224FB2AC0DCAEC6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286181Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:00.435{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81F57E59E57B63C7547B12D561C73BC3,SHA256=DDE79744E0AE532A3430773A4306820C7B63F64212AFCD96FA3E93BDF6442BAC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055689Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:16:00.196{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8058ACB033A1C8442D54AF66E86015E4,SHA256=57E0406CEC87A63FA03DF174589B8F3205BF080F8F96B29164F686AD265B95B5,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000055691Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:16:00.282{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal51194-false10.0.1.12-8000- 23542300x800000000000000055690Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:16:01.290{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=552C41636479FFAD44537AE6D5867B30,SHA256=F64BDEA80A9BABE772FB7D28FB6F830341B888043681F5DA9B6584F2B7514435,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000286184Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:15:59.137{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local65165-false10.0.1.12-8000- 23542300x8000000000000000286183Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:01.572{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=082A33122B21DA7F637B347BDCCFEC8F,SHA256=D8D7EE131C09C9B2D4BB576B14E432633EDA51F81C9A07068826FE8CC1FE6D87,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000286258Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:02.986{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-F722-62DF-6206-000000006F02}11108C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286257Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:02.986{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-F722-62DF-6206-000000006F02}11108C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286256Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:02.986{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-F722-62DF-6206-000000006F02}11108C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286255Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:02.986{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-F722-62DF-6206-000000006F02}11108C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286254Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:02.986{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F722-62DF-6306-000000006F02}12420C:\Windows\system32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286253Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:02.986{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F722-62DF-6306-000000006F02}12420C:\Windows\system32\notepad.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286252Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:02.955{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286251Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:02.955{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286250Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:02.955{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286249Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:02.955{F81F30E6-D9BA-62DF-8100-000000006F02}388811560C:\Windows\system32\csrss.exe{F81F30E6-F722-62DF-6306-000000006F02}12420C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000286248Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:02.955{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286247Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:02.955{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F722-62DF-6306-000000006F02}12420C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286246Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:02.955{F81F30E6-F722-62DF-6006-000000006F02}1407214064C:\Windows\system32\cmd.exe{F81F30E6-F722-62DF-6306-000000006F02}12420C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8564|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000286245Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:02.966{F81F30E6-F722-62DF-6306-000000006F02}12420C:\Windows\System32\notepad.exe10.0.14393.4169 (rs1_release.210107-1130)NotepadMicrosoft® Windows® Operating SystemMicrosoft CorporationNOTEPAD.EXEnotepad.exe C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=BA78FCF8CA9D806C6C047357E31748DE,SHA256=34A07759492E31AEC2A009505FE8DFB50242375C4308AD4657B2872F4F75A077,IMPHASH=968239BE2020F1C0DAFFDCDBD49E9C82{F81F30E6-F722-62DF-6006-000000006F02}14072C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" " 10341000x8000000000000000286244Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:02.955{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286243Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:02.954{F81F30E6-D9BD-62DF-9000-000000006F02}46885772C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286242Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:02.954{F81F30E6-D9BD-62DF-9000-000000006F02}46885772C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286241Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:02.954{F81F30E6-D9BD-62DF-9000-000000006F02}46885772C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286240Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:02.933{F81F30E6-F722-62DF-6206-000000006F02}1110812336C:\Windows\system32\LogonUI.exe{F81F30E6-D9BA-62DF-8200-000000006F02}2176C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\logoncontroller.dll+2eef5|C:\Windows\System32\RPCRT4.dll+33f04|C:\Windows\System32\RPCRT4.dll+21860|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286239Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:02.933{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000055692Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:16:02.384{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8EE4D230E49DB46F776629C5C779043,SHA256=FC3C3E7B33AB47DA45AF9D29EFF80FEFADCB0C366963FE52493B059775AA44FE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000286238Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:02.933{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286237Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:02.933{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286236Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:02.933{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286235Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:02.933{F81F30E6-D9BD-62DF-9000-000000006F02}46885772C:\Windows\Explorer.EXE{F81F30E6-F722-62DF-6006-000000006F02}14072C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286234Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:02.933{F81F30E6-D9BD-62DF-9000-000000006F02}46885772C:\Windows\Explorer.EXE{F81F30E6-F722-62DF-6006-000000006F02}14072C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286233Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:02.933{F81F30E6-D9BD-62DF-9000-000000006F02}46885772C:\Windows\Explorer.EXE{F81F30E6-F722-62DF-6006-000000006F02}14072C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286232Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:02.917{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F722-62DF-6106-000000006F02}14092C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286231Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:02.917{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F722-62DF-6106-000000006F02}14092C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286230Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:02.917{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F722-62DF-6206-000000006F02}11108C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286229Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:02.917{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F722-62DF-6206-000000006F02}11108C:\Windows\system32\LogonUI.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286228Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:02.886{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286227Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:02.886{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286226Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:02.886{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286225Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:02.886{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286224Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:02.886{F81F30E6-D9BA-62DF-8100-000000006F02}388811560C:\Windows\system32\csrss.exe{F81F30E6-F722-62DF-6206-000000006F02}11108C:\Windows\system32\LogonUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000286223Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:02.886{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-F722-62DF-6006-000000006F02}14072C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286222Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:02.886{F81F30E6-D9BA-62DF-8200-000000006F02}2176588C:\Windows\system32\winlogon.exe{F81F30E6-F722-62DF-6206-000000006F02}11108C:\Windows\system32\LogonUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6f523|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\winlogon.exe+193b7|C:\Windows\system32\winlogon.exe+e50a|C:\Windows\system32\winlogon.exe+4cfe|C:\Windows\SYSTEM32\ntdll.dll+80a34|C:\Windows\SYSTEM32\ntdll.dll+1e8a2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000286221Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:02.887{F81F30E6-F722-62DF-6206-000000006F02}11108C:\Windows\System32\LogonUI.exe10.0.14393.0 (rs1_release.160715-1616)Windows Logon User Interface HostMicrosoft® Windows® Operating SystemMicrosoft Corporationlogonui.exe"LogonUI.exe" /flags:0x4 /state0:0xa3a1b855 /state1:0x41c64e6dC:\Windows\system32\NT AUTHORITY\SYSTEM{F81F30E6-D97A-62DF-E703-000000000000}0x3e72SystemMD5=B38DFCF985D8AE5B1A17C264981E61C7,SHA256=AA62D29803D52EC06CD27ED3124E034048F09606EB7342181913C9817C7B44C5,IMPHASH=A6F3A84D171E55B51A7343E05C8DFAC3{F81F30E6-D9BA-62DF-8200-000000006F02}2176C:\Windows\System32\winlogon.exewinlogon.exe 10341000x8000000000000000286220Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:02.871{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D97A-62DF-0700-000000006F02}496C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea9f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286219Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:02.871{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F722-62DF-6006-000000006F02}14072C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286218Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:02.871{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F722-62DF-6006-000000006F02}14072C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286217Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:02.871{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F722-62DF-6006-000000006F02}14072C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286216Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:02.871{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F722-62DF-6006-000000006F02}14072C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286215Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:02.855{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F722-62DF-6106-000000006F02}14092C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286214Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:02.855{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F722-62DF-6106-000000006F02}14092C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286213Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:02.855{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F722-62DF-6106-000000006F02}14092C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286212Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:02.855{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F722-62DF-6106-000000006F02}14092C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286211Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:02.833{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F722-62DF-6106-000000006F02}14092C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286210Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:02.833{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F722-62DF-6106-000000006F02}14092C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286209Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:02.833{F81F30E6-F722-62DF-6106-000000006F02}1409213712C:\Windows\system32\conhost.exe{F81F30E6-F722-62DF-6006-000000006F02}14072C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286208Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:02.833{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F722-62DF-5F06-000000006F02}14080C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286207Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:02.833{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F722-62DF-5F06-000000006F02}14080C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286206Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:02.818{F81F30E6-F722-62DF-5F06-000000006F02}1408014116C:\Windows\system32\conhost.exe{F81F30E6-F722-62DF-5E06-000000006F02}14088C:\Windows\System32\shutdown.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286205Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:02.818{F81F30E6-D9BA-62DF-8100-000000006F02}38884056C:\Windows\system32\csrss.exe{F81F30E6-F722-62DF-6106-000000006F02}14092C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000286204Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:02.818{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F722-62DF-6106-000000006F02}14092C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286203Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:02.818{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286202Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:02.818{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286201Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:02.818{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286200Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:02.818{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286199Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:02.818{F81F30E6-D9BA-62DF-8100-000000006F02}38884516C:\Windows\system32\csrss.exe{F81F30E6-F722-62DF-6006-000000006F02}14072C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000286198Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:02.818{F81F30E6-F163-62DF-1F04-000000006F02}226414028C:\Temp\dcrat.exe{F81F30E6-F722-62DF-6006-000000006F02}14072C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\System32\windows.storage.dll+16e7eb|C:\Windows\System32\windows.storage.dll+16e501|C:\Windows\System32\windows.storage.dll+16e14e|C:\Windows\System32\windows.storage.dll+16f3f0|C:\Windows\System32\windows.storage.dll+16de9e|C:\Windows\System32\windows.storage.dll+fce6d|C:\Windows\System32\windows.storage.dll+fd5ac|C:\Windows\System32\windows.storage.dll+fc910|C:\Windows\System32\shell32.dll+49cdf|C:\Windows\System32\shell32.dll+49b6c|C:\Windows\System32\shell32.dll+498bc|C:\Windows\System32\shell32.dll+10d2c7|C:\Windows\System32\shell32.dll+10d225|UNKNOWN(00007FF984B29B5F) 154100x8000000000000000286197Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:02.821{F81F30E6-F722-62DF-6006-000000006F02}14072C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" "C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe"C:\Temp\dcrat.exe" 10341000x8000000000000000286196Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:02.818{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F722-62DF-6006-000000006F02}14072C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286195Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:02.818{F81F30E6-D9BA-62DF-8100-000000006F02}38884056C:\Windows\system32\csrss.exe{F81F30E6-F722-62DF-5F06-000000006F02}14080C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000286194Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:02.802{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F722-62DF-5F06-000000006F02}14080C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286193Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:02.802{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286192Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:02.802{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286191Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:02.802{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286190Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:02.802{F81F30E6-D97C-62DF-0C00-000000006F02}85210352C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286189Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:02.802{F81F30E6-D9BA-62DF-8100-000000006F02}38884056C:\Windows\system32\csrss.exe{F81F30E6-F722-62DF-5E06-000000006F02}14088C:\Windows\System32\shutdown.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000286188Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:02.802{F81F30E6-F163-62DF-1F04-000000006F02}226414016C:\Temp\dcrat.exe{F81F30E6-F722-62DF-5E06-000000006F02}14088C:\Windows\System32\shutdown.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\System32\windows.storage.dll+16e7eb|C:\Windows\System32\windows.storage.dll+16e501|C:\Windows\System32\windows.storage.dll+16e14e|C:\Windows\System32\windows.storage.dll+16f3f0|C:\Windows\System32\windows.storage.dll+16de9e|C:\Windows\System32\windows.storage.dll+fce6d|C:\Windows\System32\windows.storage.dll+fd5ac|C:\Windows\System32\windows.storage.dll+fc910|C:\Windows\System32\shell32.dll+49cdf|C:\Windows\System32\shell32.dll+49b6c|C:\Windows\System32\shell32.dll+b2e8e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.dll+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000286187Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:02.810{F81F30E6-F722-62DF-5E06-000000006F02}14088C:\Windows\System32\shutdown.exe10.0.14393.0 (rs1_release.160715-1616)Windows Shutdown and Annotation ToolMicrosoft® Windows® Operating SystemMicrosoft CorporationSHUTDOWN.EXE"C:\Windows\System32\shutdown.exe" /r /t 0C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=547993395376742A437D3145AF6B0309,SHA256=F96073C3442EA0A99B4945394007602772DB36732D1511DC2068519526678F8A,IMPHASH=609F1D7580ED496A3076AEBA77DAFC7E{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe"C:\Temp\dcrat.exe" 10341000x8000000000000000286186Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:02.802{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F722-62DF-5E06-000000006F02}14088C:\Windows\System32\shutdown.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000286185Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:02.618{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79EC87E56AB02EBFDD52DDD45507BF9B,SHA256=0C683C1C16CC926A31CD82C5CD84B5C0B4D0E1FE6F1EF9D213BC887906F815FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055693Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:16:03.478{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=908DEA434824F0A18509C85EE3BFBD63,SHA256=01F142C7471ABB012F9E64A754C4E3BCC04DBA172BF7479633DF21A7392913F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286331Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:03.965{F81F30E6-DAB4-62DF-BF00-000000006F02}2464ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\e57grxtg.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-walMD5=02B515D6465AA5CF533171AE89D1E9E9,SHA256=BFAC01784590AB76498148ADB177F19314BD3C6C7CC89EFB62A86663B821412A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286330Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:03.965{F81F30E6-DAB4-62DF-BF00-000000006F02}2464ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\e57grxtg.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shmMD5=E0A51AA4E097754D8BAED807AD784C78,SHA256=3248A8CAC48CEAD014EB62506BEFBF64E92292BDF9AB0101164A6EA2C89FBE47,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286329Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:03.933{F81F30E6-DAB4-62DF-BF00-000000006F02}2464ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\e57grxtg.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000286328Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:01.866{F81F30E6-D97A-62DF-0B00-000000006F02}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local65166-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local389ldap 354300x8000000000000000286327Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:01.866{F81F30E6-D98A-62DF-2600-000000006F02}2568C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local65166-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local389ldap 23542300x8000000000000000286326Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:03.871{F81F30E6-DAB4-62DF-BF00-000000006F02}2464ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\e57grxtg.default-release\favicons.sqlite-walMD5=6D5A0486DAB7C72CC95795C09CFDD45C,SHA256=67A7FC70379718110A72090B4C84C93A329D302F7D843E0E58169AE946476F6F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286325Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:03.855{F81F30E6-DAB4-62DF-BF00-000000006F02}2464ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\e57grxtg.default-release\favicons.sqlite-shmMD5=570997AEA4297C776436B2A9248EE58F,SHA256=02DE782DE40B5DB1B2E8B93BE01CD280138A641D66E92562E1786D98E9C23D8E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286324Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:03.833{F81F30E6-DAB4-62DF-BF00-000000006F02}2464ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\e57grxtg.default-release\places.sqlite-walMD5=141C3716EAB29E636089EF083C5BC21B,SHA256=132EAF1B4773EFDC3A4735B9F9ACF07F73EDACD17AC98F9F8598BBC00826921D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286323Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:03.802{F81F30E6-DAB4-62DF-BF00-000000006F02}2464ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\e57grxtg.default-release\places.sqlite-shmMD5=9227831036CE73890B8B9F19B6EE655D,SHA256=9C7941991AA7D104303DAAD8A639CB44E4FC9935759D24C7313C60957C472C2D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286322Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:03.771{F81F30E6-DAB4-62DF-BF00-000000006F02}2464ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\e57grxtg.default-release\cookies.sqlite-walMD5=A87D9BB5DFCB5C1F5101990D80EE8A77,SHA256=80376A70318763CB87E331972F0EC0C6164D43844E0115AEE91C8B8F6F622408,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286321Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:03.771{F81F30E6-DA3F-62DF-B800-000000006F02}4908ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Users\Administrator\AppData\Roaming\Notepad++\session.xmlMD5=8C6AB2113E703303AA6EFED54BA7C83C,SHA256=49E78C831AF7D197FE0F70E2275831FD591A10A9C60424F8ED9362294CFEB7A5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000286320Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:03.771{F81F30E6-DAB4-62DF-BF00-000000006F02}24643744C:\Program Files\Mozilla Firefox\firefox.exe{F81F30E6-F1AA-62DF-2F04-000000006F02}5208C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+267f0|C:\Program Files\Mozilla Firefox\xul.dll+e65274|C:\Program Files\Mozilla Firefox\xul.dll+e5ef99|C:\Program Files\Mozilla Firefox\xul.dll+e553f2|C:\Program Files\Mozilla Firefox\xul.dll+1f2a9d2|C:\Program Files\Mozilla Firefox\xul.dll+1a3720a|C:\Program Files\Mozilla Firefox\xul.dll+1a3936d|C:\Program Files\Mozilla Firefox\xul.dll+1d8b94c|C:\Program Files\Mozilla Firefox\xul.dll+1ddc11d|UNKNOWN(00000034CA763EFF) 10341000x8000000000000000286319Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:03.771{F81F30E6-DAB4-62DF-BF00-000000006F02}24643744C:\Program Files\Mozilla Firefox\firefox.exe{F81F30E6-EEA6-62DF-C103-000000006F02}4792C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+267f0|C:\Program Files\Mozilla Firefox\xul.dll+e65274|C:\Program Files\Mozilla Firefox\xul.dll+e5ef99|C:\Program Files\Mozilla Firefox\xul.dll+e553f2|C:\Program Files\Mozilla Firefox\xul.dll+1f2a9d2|C:\Program Files\Mozilla Firefox\xul.dll+1a3720a|C:\Program Files\Mozilla Firefox\xul.dll+1a3936d|C:\Program Files\Mozilla Firefox\xul.dll+1d8b94c|C:\Program Files\Mozilla Firefox\xul.dll+1ddc11d|UNKNOWN(00000034CA763EFF) 10341000x8000000000000000286318Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:03.771{F81F30E6-DAB4-62DF-BF00-000000006F02}24643744C:\Program Files\Mozilla Firefox\firefox.exe{F81F30E6-EEA4-62DF-C003-000000006F02}7248C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+267f0|C:\Program Files\Mozilla Firefox\xul.dll+e65274|C:\Program Files\Mozilla Firefox\xul.dll+e5ef99|C:\Program Files\Mozilla Firefox\xul.dll+e553f2|C:\Program Files\Mozilla Firefox\xul.dll+1f2a9d2|C:\Program Files\Mozilla Firefox\xul.dll+1a3720a|C:\Program Files\Mozilla Firefox\xul.dll+1a3936d|C:\Program Files\Mozilla Firefox\xul.dll+1d81ffa|C:\Program Files\Mozilla Firefox\xul.dll+183ce1d|C:\Program Files\Mozilla Firefox\xul.dll+12237a|C:\Program Files\Mozilla Firefox\xul.dll+132def6|C:\Program Files\Mozilla Firefox\xul.dll+1d8c408|C:\Program Files\Mozilla Firefox\xul.dll+1d824ef|C:\Program Files\Mozilla Firefox\xul.dll+183ce1d|C:\Program Files\Mozilla Firefox\xul.dll+1803207|UNKNOWN(00000034CA761DF4) 10341000x8000000000000000286317Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:03.771{F81F30E6-DAB4-62DF-BF00-000000006F02}24643744C:\Program Files\Mozilla Firefox\firefox.exe{F81F30E6-E923-62DF-FF02-000000006F02}7404C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+267f0|C:\Program Files\Mozilla Firefox\xul.dll+e65274|C:\Program Files\Mozilla Firefox\xul.dll+e5ef99|C:\Program Files\Mozilla Firefox\xul.dll+e553f2|C:\Program Files\Mozilla Firefox\xul.dll+1f2a9d2|C:\Program Files\Mozilla Firefox\xul.dll+1a3720a|C:\Program Files\Mozilla Firefox\xul.dll+1a3936d|C:\Program Files\Mozilla Firefox\xul.dll+1d81ffa|C:\Program Files\Mozilla Firefox\xul.dll+183ce1d|C:\Program Files\Mozilla Firefox\xul.dll+12237a|C:\Program Files\Mozilla Firefox\xul.dll+132def6|C:\Program Files\Mozilla Firefox\xul.dll+1d8c408|C:\Program Files\Mozilla Firefox\xul.dll+1d824ef|C:\Program Files\Mozilla Firefox\xul.dll+183ce1d|C:\Program Files\Mozilla Firefox\xul.dll+1803207|UNKNOWN(00000034CA761DF4) 23542300x8000000000000000286316Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:03.771{F81F30E6-DAB4-62DF-BF00-000000006F02}2464ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\e57grxtg.default-release\cookies.sqlite-shmMD5=18A1F6F68109B561D90E396E2967D781,SHA256=16BA24CED622FC9544E7F7398FC5A67B8B76FA5900FE20EC23F9ECC75333A955,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000286315Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:03.771{F81F30E6-DAB4-62DF-BF00-000000006F02}24643744C:\Program Files\Mozilla Firefox\firefox.exe{F81F30E6-DAB6-62DF-C200-000000006F02}4408C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+267f0|C:\Program Files\Mozilla Firefox\xul.dll+e65274|C:\Program Files\Mozilla Firefox\xul.dll+e5ef99|C:\Program Files\Mozilla Firefox\xul.dll+e553f2|C:\Program Files\Mozilla Firefox\xul.dll+1f2a9d2|C:\Program Files\Mozilla Firefox\xul.dll+1a3720a|C:\Program Files\Mozilla Firefox\xul.dll+1a3936d|C:\Program Files\Mozilla Firefox\xul.dll+1d81ffa|C:\Program Files\Mozilla Firefox\xul.dll+183ce1d|C:\Program Files\Mozilla Firefox\xul.dll+12237a|C:\Program Files\Mozilla Firefox\xul.dll+132def6|C:\Program Files\Mozilla Firefox\xul.dll+1d8c408|C:\Program Files\Mozilla Firefox\xul.dll+1d824ef|C:\Program Files\Mozilla Firefox\xul.dll+183ce1d|C:\Program Files\Mozilla Firefox\xul.dll+1803207|UNKNOWN(00000034CA761DF4) 11241100x8000000000000000286314Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:03.755{F81F30E6-DAB4-62DF-BF00-000000006F02}2464C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\e57grxtg.default-release\SiteSecurityServiceState-1.txt2022-07-26 14:16:03.755 23542300x8000000000000000286313Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:03.755{F81F30E6-DAB4-62DF-BF00-000000006F02}2464ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\e57grxtg.default-release\SiteSecurityServiceState-1.txtMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000286312Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:03.755{F81F30E6-DAB4-62DF-BF00-000000006F02}2464C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\e57grxtg.default-release\SiteSecurityServiceState-1.txt2022-07-26 14:16:03.755 23542300x8000000000000000286311Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:03.755{F81F30E6-DA3F-62DF-B800-000000006F02}4908ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Users\Administrator\AppData\Roaming\Notepad++\config.xmlMD5=FD390C99149527B201E6A2BCC9F87CEF,SHA256=9C488DF2118FA994BED2E520FA432DBB2FA8F8644F8B2C82242AAFB350C048C5,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000286310Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:03.755{F81F30E6-DAB4-62DF-BF00-000000006F02}2464C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\e57grxtg.default-release\AlternateServices-1.txt2022-07-26 14:16:03.755 23542300x8000000000000000286309Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:03.755{F81F30E6-DAB4-62DF-BF00-000000006F02}2464ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\e57grxtg.default-release\AlternateServices-1.txtMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000286308Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:03.755{F81F30E6-DAB4-62DF-BF00-000000006F02}2464C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\e57grxtg.default-release\AlternateServices-1.txt2022-07-26 14:16:03.755 10341000x8000000000000000286307Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:03.752{F81F30E6-D97C-62DF-0D00-000000006F02}9126772C:\Windows\system32\svchost.exe{F81F30E6-D9BE-62DF-9400-000000006F02}5104C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+2d975|c:\windows\system32\rpcss.dll+30d8a|c:\windows\system32\rpcss.dll+3e3aa|C:\Windows\System32\RPCRT4.dll+6ae08|C:\Windows\System32\RPCRT4.dll+2f199|C:\Windows\System32\RPCRT4.dll+2efb3|C:\Windows\System32\RPCRT4.dll+144f4|C:\Windows\System32\RPCRT4.dll+14971|C:\Windows\System32\RPCRT4.dll+11c3d|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000286306Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:03.752{F81F30E6-DAB4-62DF-BF00-000000006F02}2464ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\e57grxtg.default-release\webappsstore.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000286305Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:03.752{F81F30E6-D97C-62DF-0D00-000000006F02}9126772C:\Windows\system32\svchost.exe{F81F30E6-D9BE-62DF-9400-000000006F02}5104C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+2d975|c:\windows\system32\rpcss.dll+30d8a|c:\windows\system32\rpcss.dll+3e3aa|C:\Windows\System32\RPCRT4.dll+6ae08|C:\Windows\System32\RPCRT4.dll+2f199|C:\Windows\System32\RPCRT4.dll+2efb3|C:\Windows\System32\RPCRT4.dll+144f4|C:\Windows\System32\RPCRT4.dll+14971|C:\Windows\System32\RPCRT4.dll+11c3d|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286304Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:03.752{F81F30E6-D97C-62DF-0D00-000000006F02}9126772C:\Windows\system32\svchost.exe{F81F30E6-D9BE-62DF-9400-000000006F02}5104C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+2d975|c:\windows\system32\rpcss.dll+30d8a|c:\windows\system32\rpcss.dll+3e3aa|C:\Windows\System32\RPCRT4.dll+6ae08|C:\Windows\System32\RPCRT4.dll+2f199|C:\Windows\System32\RPCRT4.dll+2efb3|C:\Windows\System32\RPCRT4.dll+144f4|C:\Windows\System32\RPCRT4.dll+14971|C:\Windows\System32\RPCRT4.dll+11c3d|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286303Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:03.751{F81F30E6-D97C-62DF-0D00-000000006F02}9126772C:\Windows\system32\svchost.exe{F81F30E6-D9BE-62DF-9300-000000006F02}5000C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+2d975|c:\windows\system32\rpcss.dll+30d8a|c:\windows\system32\rpcss.dll+3e3aa|C:\Windows\System32\RPCRT4.dll+6ae08|C:\Windows\System32\RPCRT4.dll+2f199|C:\Windows\System32\RPCRT4.dll+2efb3|C:\Windows\System32\RPCRT4.dll+144f4|C:\Windows\System32\RPCRT4.dll+14971|C:\Windows\System32\RPCRT4.dll+11c3d|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286302Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:03.751{F81F30E6-D97C-62DF-0D00-000000006F02}9126772C:\Windows\system32\svchost.exe{F81F30E6-D9BE-62DF-9300-000000006F02}5000C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+2d975|c:\windows\system32\rpcss.dll+30d8a|c:\windows\system32\rpcss.dll+3e3aa|C:\Windows\System32\RPCRT4.dll+6ae08|C:\Windows\System32\RPCRT4.dll+2f199|C:\Windows\System32\RPCRT4.dll+2efb3|C:\Windows\System32\RPCRT4.dll+144f4|C:\Windows\System32\RPCRT4.dll+14971|C:\Windows\System32\RPCRT4.dll+11c3d|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286301Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:03.751{F81F30E6-D97C-62DF-0D00-000000006F02}9126772C:\Windows\system32\svchost.exe{F81F30E6-D9BE-62DF-9300-000000006F02}5000C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+2d975|c:\windows\system32\rpcss.dll+30d8a|c:\windows\system32\rpcss.dll+3e3aa|C:\Windows\System32\RPCRT4.dll+6ae08|C:\Windows\System32\RPCRT4.dll+2f199|C:\Windows\System32\RPCRT4.dll+2efb3|C:\Windows\System32\RPCRT4.dll+144f4|C:\Windows\System32\RPCRT4.dll+14971|C:\Windows\System32\RPCRT4.dll+11c3d|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286300Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:03.751{F81F30E6-D97C-62DF-0D00-000000006F02}9126772C:\Windows\system32\svchost.exe{F81F30E6-D9BE-62DF-9300-000000006F02}5000C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+2d975|c:\windows\system32\rpcss.dll+30d8a|c:\windows\system32\rpcss.dll+3e3aa|C:\Windows\System32\RPCRT4.dll+6ae08|C:\Windows\System32\RPCRT4.dll+2f199|C:\Windows\System32\RPCRT4.dll+2efb3|C:\Windows\System32\RPCRT4.dll+144f4|C:\Windows\System32\RPCRT4.dll+14971|C:\Windows\System32\RPCRT4.dll+11c3d|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286299Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:03.751{F81F30E6-D97C-62DF-0D00-000000006F02}9126772C:\Windows\system32\svchost.exe{F81F30E6-D9BE-62DF-9300-000000006F02}5000C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+2d975|c:\windows\system32\rpcss.dll+30d8a|c:\windows\system32\rpcss.dll+3e3aa|C:\Windows\System32\RPCRT4.dll+6ae08|C:\Windows\System32\RPCRT4.dll+2f199|C:\Windows\System32\RPCRT4.dll+2efb3|C:\Windows\System32\RPCRT4.dll+144f4|C:\Windows\System32\RPCRT4.dll+14971|C:\Windows\System32\RPCRT4.dll+11c3d|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286298Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:03.751{F81F30E6-D97C-62DF-0D00-000000006F02}9126772C:\Windows\system32\svchost.exe{F81F30E6-D9BE-62DF-9300-000000006F02}5000C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+2d975|c:\windows\system32\rpcss.dll+30d8a|c:\windows\system32\rpcss.dll+3e3aa|C:\Windows\System32\RPCRT4.dll+6ae08|C:\Windows\System32\RPCRT4.dll+2f199|C:\Windows\System32\RPCRT4.dll+2efb3|C:\Windows\System32\RPCRT4.dll+144f4|C:\Windows\System32\RPCRT4.dll+14971|C:\Windows\System32\RPCRT4.dll+11c3d|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286297Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:03.751{F81F30E6-D97C-62DF-0D00-000000006F02}9126772C:\Windows\system32\svchost.exe{F81F30E6-D9BE-62DF-9300-000000006F02}5000C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+2d975|c:\windows\system32\rpcss.dll+30d8a|c:\windows\system32\rpcss.dll+3e3aa|C:\Windows\System32\RPCRT4.dll+6ae08|C:\Windows\System32\RPCRT4.dll+2f199|C:\Windows\System32\RPCRT4.dll+2efb3|C:\Windows\System32\RPCRT4.dll+144f4|C:\Windows\System32\RPCRT4.dll+14971|C:\Windows\System32\RPCRT4.dll+11c3d|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286296Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:03.751{F81F30E6-D97C-62DF-0D00-000000006F02}9126772C:\Windows\system32\svchost.exe{F81F30E6-D9BE-62DF-9300-000000006F02}5000C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+2d975|c:\windows\system32\rpcss.dll+30d8a|c:\windows\system32\rpcss.dll+3e3aa|C:\Windows\System32\RPCRT4.dll+6ae08|C:\Windows\System32\RPCRT4.dll+2f199|C:\Windows\System32\RPCRT4.dll+2efb3|C:\Windows\System32\RPCRT4.dll+144f4|C:\Windows\System32\RPCRT4.dll+14971|C:\Windows\System32\RPCRT4.dll+11c3d|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286295Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:03.750{F81F30E6-D97C-62DF-0D00-000000006F02}9126772C:\Windows\system32\svchost.exe{F81F30E6-D9BE-62DF-9300-000000006F02}5000C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+2d975|c:\windows\system32\rpcss.dll+30d8a|c:\windows\system32\rpcss.dll+3e3aa|C:\Windows\System32\RPCRT4.dll+6ae08|C:\Windows\System32\RPCRT4.dll+2f199|C:\Windows\System32\RPCRT4.dll+2efb3|C:\Windows\System32\RPCRT4.dll+144f4|C:\Windows\System32\RPCRT4.dll+14971|C:\Windows\System32\RPCRT4.dll+11c3d|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286294Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:03.750{F81F30E6-D97C-62DF-0D00-000000006F02}9126772C:\Windows\system32\svchost.exe{F81F30E6-D9BD-62DF-9000-000000006F02}4688C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+2d975|c:\windows\system32\rpcss.dll+30d8a|c:\windows\system32\rpcss.dll+3e3aa|C:\Windows\System32\RPCRT4.dll+6ae08|C:\Windows\System32\RPCRT4.dll+2f199|C:\Windows\System32\RPCRT4.dll+2efb3|C:\Windows\System32\RPCRT4.dll+144f4|C:\Windows\System32\RPCRT4.dll+14971|C:\Windows\System32\RPCRT4.dll+11c3d|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286293Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:03.750{F81F30E6-D97C-62DF-0D00-000000006F02}9126772C:\Windows\system32\svchost.exe{F81F30E6-D9BD-62DF-9000-000000006F02}4688C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+2d975|c:\windows\system32\rpcss.dll+30d8a|c:\windows\system32\rpcss.dll+3e3aa|C:\Windows\System32\RPCRT4.dll+6ae08|C:\Windows\System32\RPCRT4.dll+2f199|C:\Windows\System32\RPCRT4.dll+2efb3|C:\Windows\System32\RPCRT4.dll+144f4|C:\Windows\System32\RPCRT4.dll+14971|C:\Windows\System32\RPCRT4.dll+11c3d|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 534500x8000000000000000286292Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:03.733{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe 23542300x8000000000000000286291Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:03.733{F81F30E6-DAB4-62DF-BF00-000000006F02}2464ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\e57grxtg.default-release\prefs-1.jsMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000286290Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:03.733{F81F30E6-DAB4-62DF-BF00-000000006F02}24643744C:\Program Files\Mozilla Firefox\firefox.exe{F81F30E6-EEA4-62DF-BF03-000000006F02}6544C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+267f0|C:\Program Files\Mozilla Firefox\xul.dll+e65274|C:\Program Files\Mozilla Firefox\xul.dll+e65b59|C:\Program Files\Mozilla Firefox\xul.dll+e65e38|C:\Program Files\Mozilla Firefox\xul.dll+11f018b|C:\Program Files\Mozilla Firefox\xul.dll+e627c7|C:\Program Files\Mozilla Firefox\xul.dll+120a85d|C:\Program Files\Mozilla Firefox\xul.dll+ceede|C:\Program Files\Mozilla Firefox\xul.dll+c395d4|C:\Program Files\Mozilla Firefox\xul.dll+c3930b|C:\Program Files\Mozilla Firefox\xul.dll+1871229|C:\Program Files\Mozilla Firefox\xul.dll+183f230|C:\Program Files\Mozilla Firefox\xul.dll+1c23afe|C:\Program Files\Mozilla Firefox\xul.dll+1d7f4a3|C:\Program Files\Mozilla Firefox\xul.dll+183f6cf|C:\Program Files\Mozilla Firefox\xul.dll+1c23afe|C:\Program Files\Mozilla Firefox\xul.dll+1d7f4a3|C:\Program Files\Mozilla Firefox\xul.dll+183ce1d|C:\Program Files\Mozilla Firefox\xul.dll+1907bb7|C:\Program Files\Mozilla Firefox\xul.dll+1ae0b0f|C:\Program Files\Mozilla Firefox\xul.dll+1ad8cb3|C:\Program Files\Mozilla Firefox\xul.dll+18163f3 10341000x8000000000000000286289Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:03.717{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1a375|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286288Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:03.618{F81F30E6-D97C-62DF-1100-000000006F02}4401628C:\Windows\system32\svchost.exe{F81F30E6-F722-62DF-6206-000000006F02}11108C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286287Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:03.618{F81F30E6-D97C-62DF-1100-000000006F02}4401628C:\Windows\system32\svchost.exe{F81F30E6-F722-62DF-6206-000000006F02}11108C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286286Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:03.618{F81F30E6-D97C-62DF-1100-000000006F02}4401628C:\Windows\system32\svchost.exe{F81F30E6-F722-62DF-6206-000000006F02}11108C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x8000000000000000286285Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-ConnectPipe2022-07-26 14:16:03.602{F81F30E6-D97C-62DF-0F00-000000006F02}360\TSVCPIPE-51afbbb2-c972-4758-a9b5-acd4fb358e92C:\Windows\System32\svchost.exe 17141700x8000000000000000286284Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-CreatePipe2022-07-26 14:16:03.602{F81F30E6-D97C-62DF-0F00-000000006F02}360\TSVCPIPE-51afbbb2-c972-4758-a9b5-acd4fb358e92C:\Windows\System32\svchost.exe 10341000x8000000000000000286283Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:03.571{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D9BC-62DF-8700-000000006F02}4224C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286282Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:03.571{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D9BC-62DF-8700-000000006F02}4224C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x8000000000000000286281Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-ConnectPipe2022-07-26 14:16:03.433{F81F30E6-D97C-62DF-0F00-000000006F02}360\TSVCPIPE-81e819dd-8e4b-4d00-b872-bafe66ef59e3C:\Windows\System32\svchost.exe 17141700x8000000000000000286280Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-CreatePipe2022-07-26 14:16:03.433{F81F30E6-D97C-62DF-0F00-000000006F02}360\TSVCPIPE-81e819dd-8e4b-4d00-b872-bafe66ef59e3C:\Windows\System32\svchost.exe 10341000x8000000000000000286279Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:03.402{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D9BB-62DF-8400-000000006F02}860C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286278Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:03.402{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D9BB-62DF-8400-000000006F02}860C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286277Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:03.286{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-F722-62DF-6206-000000006F02}11108C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286276Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:03.201{F81F30E6-D9BD-62DF-9000-000000006F02}46885772C:\Windows\Explorer.EXE{F81F30E6-F722-62DF-6306-000000006F02}12420C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286275Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:03.201{F81F30E6-D9BD-62DF-9000-000000006F02}46885772C:\Windows\Explorer.EXE{F81F30E6-F722-62DF-6306-000000006F02}12420C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286274Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:03.201{F81F30E6-D9BD-62DF-9000-000000006F02}46885772C:\Windows\Explorer.EXE{F81F30E6-F722-62DF-6306-000000006F02}12420C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286273Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:03.186{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F722-62DF-6306-000000006F02}12420C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286272Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:03.170{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F722-62DF-6306-000000006F02}12420C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286271Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:03.170{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-F722-62DF-6306-000000006F02}12420C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286270Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:03.155{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F722-62DF-6306-000000006F02}12420C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286269Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:03.155{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F722-62DF-6306-000000006F02}12420C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286268Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:03.155{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F722-62DF-6306-000000006F02}12420C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286267Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:03.155{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F722-62DF-6306-000000006F02}12420C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286266Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:03.133{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F722-62DF-6306-000000006F02}12420C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286265Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:03.133{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F722-62DF-6306-000000006F02}12420C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286264Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:03.133{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F722-62DF-6306-000000006F02}12420C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286263Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:03.133{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F722-62DF-6306-000000006F02}12420C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286262Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:03.086{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-F722-62DF-6306-000000006F02}12420C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286261Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:03.054{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-F722-62DF-6206-000000006F02}11108C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d41c2|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286260Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:03.053{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-F722-62DF-6206-000000006F02}11108C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000286259Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:03.017{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB557DF65452562B5C4D9D7B6FF20369,SHA256=3EDDA7968FD036B29996A77E37A5774AFE371EC3A2C158F73BA7F820ADBA9308,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055694Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:16:04.571{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B179885AEB4D79C2C4123DC514A1CACA,SHA256=E31657B2E453093CFF0C71DD2206864789DAE50E07F14EC05F916239E3814349,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286352Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:04.822{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A70FA9AA6BEB971CB05F9E1D049C6781,SHA256=27320E6270DF5BAA304B5B5420B95257451AE4629B2C57795FDE602F190439C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286351Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:04.306{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C8AFAC45260EB3948B5BA108CA628C4,SHA256=28C378268C6062F4AB10F3DA3BB309E107E709B37EDDA4B47C02C945917207EC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000286350Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:04.181{F81F30E6-D97C-62DF-0D00-000000006F02}9125604C:\Windows\system32\svchost.exe{F81F30E6-D9BE-62DF-9400-000000006F02}5104C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+2d975|c:\windows\system32\rpcss.dll+30d8a|c:\windows\system32\rpcss.dll+3e3aa|C:\Windows\System32\RPCRT4.dll+6ae08|C:\Windows\System32\RPCRT4.dll+2f199|C:\Windows\System32\RPCRT4.dll+2efb3|C:\Windows\System32\RPCRT4.dll+144f4|C:\Windows\System32\RPCRT4.dll+14971|C:\Windows\System32\RPCRT4.dll+11c3d|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286349Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:04.181{F81F30E6-D97C-62DF-0D00-000000006F02}9125604C:\Windows\system32\svchost.exe{F81F30E6-D9BE-62DF-9400-000000006F02}5104C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+2d975|c:\windows\system32\rpcss.dll+30d8a|c:\windows\system32\rpcss.dll+3e3aa|C:\Windows\System32\RPCRT4.dll+6ae08|C:\Windows\System32\RPCRT4.dll+2f199|C:\Windows\System32\RPCRT4.dll+2efb3|C:\Windows\System32\RPCRT4.dll+144f4|C:\Windows\System32\RPCRT4.dll+14971|C:\Windows\System32\RPCRT4.dll+11c3d|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286348Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:04.181{F81F30E6-D97C-62DF-0D00-000000006F02}9125604C:\Windows\system32\svchost.exe{F81F30E6-D9BE-62DF-9400-000000006F02}5104C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+2d975|c:\windows\system32\rpcss.dll+30d8a|c:\windows\system32\rpcss.dll+3e3aa|C:\Windows\System32\RPCRT4.dll+6ae08|C:\Windows\System32\RPCRT4.dll+2f199|C:\Windows\System32\RPCRT4.dll+2efb3|C:\Windows\System32\RPCRT4.dll+144f4|C:\Windows\System32\RPCRT4.dll+14971|C:\Windows\System32\RPCRT4.dll+11c3d|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286347Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:04.181{F81F30E6-D97C-62DF-0D00-000000006F02}9125604C:\Windows\system32\svchost.exe{F81F30E6-D9BE-62DF-9300-000000006F02}5000C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+2d975|c:\windows\system32\rpcss.dll+30d8a|c:\windows\system32\rpcss.dll+3e3aa|C:\Windows\System32\RPCRT4.dll+6ae08|C:\Windows\System32\RPCRT4.dll+2f199|C:\Windows\System32\RPCRT4.dll+2efb3|C:\Windows\System32\RPCRT4.dll+144f4|C:\Windows\System32\RPCRT4.dll+14971|C:\Windows\System32\RPCRT4.dll+11c3d|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286346Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:04.181{F81F30E6-D97C-62DF-0D00-000000006F02}9125604C:\Windows\system32\svchost.exe{F81F30E6-D9BE-62DF-9300-000000006F02}5000C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+2d975|c:\windows\system32\rpcss.dll+30d8a|c:\windows\system32\rpcss.dll+3e3aa|C:\Windows\System32\RPCRT4.dll+6ae08|C:\Windows\System32\RPCRT4.dll+2f199|C:\Windows\System32\RPCRT4.dll+2efb3|C:\Windows\System32\RPCRT4.dll+144f4|C:\Windows\System32\RPCRT4.dll+14971|C:\Windows\System32\RPCRT4.dll+11c3d|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286345Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:04.181{F81F30E6-D97C-62DF-0D00-000000006F02}9125604C:\Windows\system32\svchost.exe{F81F30E6-D9BE-62DF-9300-000000006F02}5000C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+2d975|c:\windows\system32\rpcss.dll+30d8a|c:\windows\system32\rpcss.dll+3e3aa|C:\Windows\System32\RPCRT4.dll+6ae08|C:\Windows\System32\RPCRT4.dll+2f199|C:\Windows\System32\RPCRT4.dll+2efb3|C:\Windows\System32\RPCRT4.dll+144f4|C:\Windows\System32\RPCRT4.dll+14971|C:\Windows\System32\RPCRT4.dll+11c3d|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286344Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:04.181{F81F30E6-D97C-62DF-0D00-000000006F02}9125604C:\Windows\system32\svchost.exe{F81F30E6-D9BE-62DF-9300-000000006F02}5000C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+2d975|c:\windows\system32\rpcss.dll+30d8a|c:\windows\system32\rpcss.dll+3e3aa|C:\Windows\System32\RPCRT4.dll+6ae08|C:\Windows\System32\RPCRT4.dll+2f199|C:\Windows\System32\RPCRT4.dll+2efb3|C:\Windows\System32\RPCRT4.dll+144f4|C:\Windows\System32\RPCRT4.dll+14971|C:\Windows\System32\RPCRT4.dll+11c3d|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286343Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:04.181{F81F30E6-D97C-62DF-0D00-000000006F02}9125604C:\Windows\system32\svchost.exe{F81F30E6-D9BE-62DF-9300-000000006F02}5000C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+2d975|c:\windows\system32\rpcss.dll+30d8a|c:\windows\system32\rpcss.dll+3e3aa|C:\Windows\System32\RPCRT4.dll+6ae08|C:\Windows\System32\RPCRT4.dll+2f199|C:\Windows\System32\RPCRT4.dll+2efb3|C:\Windows\System32\RPCRT4.dll+144f4|C:\Windows\System32\RPCRT4.dll+14971|C:\Windows\System32\RPCRT4.dll+11c3d|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286342Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:04.181{F81F30E6-D97C-62DF-0D00-000000006F02}9125604C:\Windows\system32\svchost.exe{F81F30E6-D9BE-62DF-9300-000000006F02}5000C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+2d975|c:\windows\system32\rpcss.dll+30d8a|c:\windows\system32\rpcss.dll+3e3aa|C:\Windows\System32\RPCRT4.dll+6ae08|C:\Windows\System32\RPCRT4.dll+2f199|C:\Windows\System32\RPCRT4.dll+2efb3|C:\Windows\System32\RPCRT4.dll+144f4|C:\Windows\System32\RPCRT4.dll+14971|C:\Windows\System32\RPCRT4.dll+11c3d|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286341Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:04.181{F81F30E6-D97C-62DF-0D00-000000006F02}9125604C:\Windows\system32\svchost.exe{F81F30E6-D9BE-62DF-9300-000000006F02}5000C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+2d975|c:\windows\system32\rpcss.dll+30d8a|c:\windows\system32\rpcss.dll+3e3aa|C:\Windows\System32\RPCRT4.dll+6ae08|C:\Windows\System32\RPCRT4.dll+2f199|C:\Windows\System32\RPCRT4.dll+2efb3|C:\Windows\System32\RPCRT4.dll+144f4|C:\Windows\System32\RPCRT4.dll+14971|C:\Windows\System32\RPCRT4.dll+11c3d|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286340Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:04.181{F81F30E6-D97C-62DF-0D00-000000006F02}9125604C:\Windows\system32\svchost.exe{F81F30E6-D9BE-62DF-9300-000000006F02}5000C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+2d975|c:\windows\system32\rpcss.dll+30d8a|c:\windows\system32\rpcss.dll+3e3aa|C:\Windows\System32\RPCRT4.dll+6ae08|C:\Windows\System32\RPCRT4.dll+2f199|C:\Windows\System32\RPCRT4.dll+2efb3|C:\Windows\System32\RPCRT4.dll+144f4|C:\Windows\System32\RPCRT4.dll+14971|C:\Windows\System32\RPCRT4.dll+11c3d|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286339Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:04.181{F81F30E6-D97C-62DF-0D00-000000006F02}9125604C:\Windows\system32\svchost.exe{F81F30E6-D9BE-62DF-9300-000000006F02}5000C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+2d975|c:\windows\system32\rpcss.dll+30d8a|c:\windows\system32\rpcss.dll+3e3aa|C:\Windows\System32\RPCRT4.dll+6ae08|C:\Windows\System32\RPCRT4.dll+2f199|C:\Windows\System32\RPCRT4.dll+2efb3|C:\Windows\System32\RPCRT4.dll+144f4|C:\Windows\System32\RPCRT4.dll+14971|C:\Windows\System32\RPCRT4.dll+11c3d|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286338Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:04.181{F81F30E6-D97C-62DF-0D00-000000006F02}9125604C:\Windows\system32\svchost.exe{F81F30E6-D9BD-62DF-9000-000000006F02}4688C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+2d975|c:\windows\system32\rpcss.dll+30d8a|c:\windows\system32\rpcss.dll+3e3aa|C:\Windows\System32\RPCRT4.dll+6ae08|C:\Windows\System32\RPCRT4.dll+2f199|C:\Windows\System32\RPCRT4.dll+2efb3|C:\Windows\System32\RPCRT4.dll+144f4|C:\Windows\System32\RPCRT4.dll+14971|C:\Windows\System32\RPCRT4.dll+11c3d|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286337Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:04.166{F81F30E6-D97C-62DF-0D00-000000006F02}9125604C:\Windows\system32\svchost.exe{F81F30E6-D9BD-62DF-9000-000000006F02}4688C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+2d975|c:\windows\system32\rpcss.dll+30d8a|c:\windows\system32\rpcss.dll+3e3aa|C:\Windows\System32\RPCRT4.dll+6ae08|C:\Windows\System32\RPCRT4.dll+2f199|C:\Windows\System32\RPCRT4.dll+2efb3|C:\Windows\System32\RPCRT4.dll+144f4|C:\Windows\System32\RPCRT4.dll+14971|C:\Windows\System32\RPCRT4.dll+11c3d|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000286336Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:04.166{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13B2B362F89AC6436718A7400AFB3AA0,SHA256=73D86C8DA856EC57F4822411B6F1A2037AEE27932A5D279152C19441099FFD98,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286335Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:04.166{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2FAFE2E198EF6E79D6E5BD853FAE52CC,SHA256=A569A8DEB0D9343947B0ADCE50EE52F4445930D9F9619707C84B83DF97861F9B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286334Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:04.166{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=2EC506E479215C26B8BF171827251FC6,SHA256=859EE225D7CE069AB99D0BCF4F22C3E30CA9CA68FD5D0D30B77E292A059B2A4D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286333Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:04.097{F81F30E6-DAB4-62DF-BF00-000000006F02}2464ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\e57grxtg.default-release\datareporting\aborted-session-pingMD5=D2FDD684F43316569EC72306137D897A,SHA256=15384FDAB7A998A53919AEFCAF89CAE39239638C4D93C89E9FA03847D09769C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286332Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:03.997{F81F30E6-DAB4-62DF-BF00-000000006F02}2464ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\e57grxtg.default-release\storage.sqlite-journalMD5=2371BEA2FBC2091B6A2D4A97FCAE866C,SHA256=D751A796AFBC73AA02D2D2FCCE71F2F89DC69193D650D763FB3E3934C2A69D2D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055695Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:16:05.665{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF11BD15DF70892D726914F601DF22FC,SHA256=BF3B5A7B3A49A4E189855D985CFFB631038FAE54A47C4B612D8CF7E91876FA24,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000286504Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:05.666{F81F30E6-D97C-62DF-0C00-000000006F02}8522296C:\Windows\system32\svchost.exe{F81F30E6-DA04-62DF-B300-000000006F02}5544C:\Windows\System32\msdtc.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79d4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286503Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:05.666{F81F30E6-D97C-62DF-0C00-000000006F02}8522296C:\Windows\system32\svchost.exe{F81F30E6-D99D-62DF-7A00-000000006F02}3908C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79d4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286502Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:05.666{F81F30E6-D97C-62DF-0C00-000000006F02}8522296C:\Windows\system32\svchost.exe{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79d4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286501Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:05.666{F81F30E6-D97C-62DF-0C00-000000006F02}8522296C:\Windows\system32\svchost.exe{F81F30E6-D98C-62DF-4400-000000006F02}3492C:\Windows\system32\conhost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79d4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286500Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:05.666{F81F30E6-D97C-62DF-0C00-000000006F02}8522296C:\Windows\system32\svchost.exe{F81F30E6-D98C-62DF-4000-000000006F02}3404C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79d4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286499Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:05.666{F81F30E6-D97C-62DF-0C00-000000006F02}8522296C:\Windows\system32\svchost.exe{F81F30E6-D98B-62DF-3600-000000006F02}3132C:\Windows\system32\conhost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79d4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286498Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:05.666{F81F30E6-D97C-62DF-0C00-000000006F02}8522296C:\Windows\system32\svchost.exe{F81F30E6-D98B-62DF-3200-000000006F02}1216C:\Windows\System32\vds.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79d4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286497Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:05.666{F81F30E6-D97C-62DF-0C00-000000006F02}8522296C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-3000-000000006F02}3012C:\Windows\system32\wbem\unsecapp.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79d4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286496Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:05.666{F81F30E6-D97C-62DF-0C00-000000006F02}8522296C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2F00-000000006F02}2796C:\Windows\system32\dfssvc.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79d4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286495Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:05.666{F81F30E6-D97C-62DF-0C00-000000006F02}8522296C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79d4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286494Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:05.666{F81F30E6-D97C-62DF-0C00-000000006F02}8522296C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2D00-000000006F02}2676C:\Windows\system32\dns.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79d4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286493Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:05.666{F81F30E6-D97C-62DF-0C00-000000006F02}8522296C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2C00-000000006F02}2668C:\Windows\system32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79d4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286492Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:05.666{F81F30E6-D97C-62DF-0C00-000000006F02}8522296C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79d4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286491Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:05.666{F81F30E6-D97C-62DF-0C00-000000006F02}8522296C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2A00-000000006F02}2640C:\Windows\system32\DFSRs.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79d4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286490Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:05.666{F81F30E6-D97C-62DF-0C00-000000006F02}8522296C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2900-000000006F02}2592C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79d4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286489Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:05.666{F81F30E6-D97C-62DF-0C00-000000006F02}8522296C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2700-000000006F02}2576C:\Windows\System32\ismserv.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79d4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286488Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:05.666{F81F30E6-D97C-62DF-0C00-000000006F02}8522296C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2600-000000006F02}2568C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79d4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286487Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:05.666{F81F30E6-D97C-62DF-0C00-000000006F02}8522296C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2500-000000006F02}2492C:\Windows\System32\spoolsv.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79d4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286486Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:05.666{F81F30E6-D97C-62DF-0C00-000000006F02}8522296C:\Windows\system32\svchost.exe{F81F30E6-D986-62DF-2300-000000006F02}2320C:\Windows\System32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79d4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286485Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:05.666{F81F30E6-D97C-62DF-0C00-000000006F02}8522296C:\Windows\system32\svchost.exe{F81F30E6-D97D-62DF-1D00-000000006F02}1424C:\Windows\system32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79d4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286484Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:05.666{F81F30E6-D97C-62DF-0C00-000000006F02}8522296C:\Windows\system32\svchost.exe{F81F30E6-D97C-62DF-1700-000000006F02}1320C:\Windows\system32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79d4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286483Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:05.666{F81F30E6-D97C-62DF-0C00-000000006F02}8522296C:\Windows\system32\svchost.exe{F81F30E6-D97C-62DF-1600-000000006F02}1312C:\Windows\System32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79d4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286482Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:05.666{F81F30E6-D97C-62DF-0C00-000000006F02}8522296C:\Windows\system32\svchost.exe{F81F30E6-D97C-62DF-1500-000000006F02}1228C:\Windows\System32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79d4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286481Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:05.666{F81F30E6-D97C-62DF-0C00-000000006F02}8522296C:\Windows\system32\svchost.exe{F81F30E6-D97C-62DF-1400-000000006F02}1124C:\Windows\system32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79d4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286480Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:05.666{F81F30E6-D97C-62DF-0C00-000000006F02}8522296C:\Windows\system32\svchost.exe{F81F30E6-D97C-62DF-1300-000000006F02}956C:\Windows\System32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79d4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286479Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:05.666{F81F30E6-D97C-62DF-0C00-000000006F02}8522296C:\Windows\system32\svchost.exe{F81F30E6-D97C-62DF-1200-000000006F02}780C:\Windows\system32\dwm.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79d4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286478Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:05.666{F81F30E6-D97C-62DF-0C00-000000006F02}8522296C:\Windows\system32\svchost.exe{F81F30E6-D97C-62DF-1100-000000006F02}440C:\Windows\system32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79d4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286477Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:05.666{F81F30E6-D97C-62DF-0C00-000000006F02}8522296C:\Windows\system32\svchost.exe{F81F30E6-D97C-62DF-1000-000000006F02}448C:\Windows\System32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79d4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286476Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:05.666{F81F30E6-D97C-62DF-0C00-000000006F02}8522296C:\Windows\system32\svchost.exe{F81F30E6-D97C-62DF-0F00-000000006F02}360C:\Windows\System32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79d4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286475Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:05.666{F81F30E6-D97C-62DF-0C00-000000006F02}8522296C:\Windows\system32\svchost.exe{F81F30E6-D97C-62DF-0E00-000000006F02}1016C:\Windows\system32\LogonUI.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79d4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286474Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:05.666{F81F30E6-D97C-62DF-0C00-000000006F02}8522296C:\Windows\system32\svchost.exe{F81F30E6-D97C-62DF-0D00-000000006F02}912C:\Windows\system32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79d4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286473Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:05.666{F81F30E6-D97C-62DF-0C00-000000006F02}8522296C:\Windows\system32\svchost.exe{F81F30E6-D97A-62DF-0B00-000000006F02}640C:\Windows\system32\lsass.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79d4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286472Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:05.666{F81F30E6-D97C-62DF-0C00-000000006F02}8522296C:\Windows\system32\svchost.exe{F81F30E6-D97A-62DF-0900-000000006F02}580C:\Windows\system32\winlogon.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79d4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286471Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:05.666{F81F30E6-D97C-62DF-0C00-000000006F02}8522296C:\Windows\system32\svchost.exe{F81F30E6-DA04-62DF-B300-000000006F02}5544C:\Windows\System32\msdtc.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79d4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286470Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:05.666{F81F30E6-D97C-62DF-0C00-000000006F02}8522296C:\Windows\system32\svchost.exe{F81F30E6-D99D-62DF-7A00-000000006F02}3908C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79d4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286469Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:05.666{F81F30E6-D97C-62DF-0C00-000000006F02}8522296C:\Windows\system32\svchost.exe{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79d4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286468Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:05.666{F81F30E6-D97C-62DF-0C00-000000006F02}8522296C:\Windows\system32\svchost.exe{F81F30E6-D98C-62DF-4400-000000006F02}3492C:\Windows\system32\conhost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79d4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286467Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:05.666{F81F30E6-D97C-62DF-0C00-000000006F02}8522296C:\Windows\system32\svchost.exe{F81F30E6-D98C-62DF-4000-000000006F02}3404C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79d4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286466Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:05.666{F81F30E6-D97C-62DF-0C00-000000006F02}8522296C:\Windows\system32\svchost.exe{F81F30E6-D98B-62DF-3600-000000006F02}3132C:\Windows\system32\conhost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79d4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286465Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:05.666{F81F30E6-D97C-62DF-0C00-000000006F02}8522296C:\Windows\system32\svchost.exe{F81F30E6-D98B-62DF-3200-000000006F02}1216C:\Windows\System32\vds.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79d4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286464Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:05.666{F81F30E6-D97C-62DF-0C00-000000006F02}8522296C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-3000-000000006F02}3012C:\Windows\system32\wbem\unsecapp.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79d4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286463Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:05.666{F81F30E6-D97C-62DF-0C00-000000006F02}8522296C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2F00-000000006F02}2796C:\Windows\system32\dfssvc.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79d4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286462Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:05.666{F81F30E6-D97C-62DF-0C00-000000006F02}8522296C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79d4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286461Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:05.666{F81F30E6-D97C-62DF-0C00-000000006F02}8522296C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2D00-000000006F02}2676C:\Windows\system32\dns.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79d4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286460Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:05.666{F81F30E6-D97C-62DF-0C00-000000006F02}8522296C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2C00-000000006F02}2668C:\Windows\system32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79d4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286459Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:05.666{F81F30E6-D97C-62DF-0C00-000000006F02}8522296C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79d4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286458Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:05.666{F81F30E6-D97C-62DF-0C00-000000006F02}8522296C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2A00-000000006F02}2640C:\Windows\system32\DFSRs.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79d4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286457Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:05.666{F81F30E6-D97C-62DF-0C00-000000006F02}8522296C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2900-000000006F02}2592C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79d4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286456Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:05.666{F81F30E6-D97C-62DF-0C00-000000006F02}8522296C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2700-000000006F02}2576C:\Windows\System32\ismserv.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79d4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286455Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:05.666{F81F30E6-D97C-62DF-0C00-000000006F02}8522296C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2600-000000006F02}2568C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79d4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286454Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:05.666{F81F30E6-D97C-62DF-0C00-000000006F02}8522296C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2500-000000006F02}2492C:\Windows\System32\spoolsv.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79d4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286453Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:05.666{F81F30E6-D97C-62DF-0C00-000000006F02}8522296C:\Windows\system32\svchost.exe{F81F30E6-D986-62DF-2300-000000006F02}2320C:\Windows\System32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79d4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286452Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:05.666{F81F30E6-D97C-62DF-0C00-000000006F02}8522296C:\Windows\system32\svchost.exe{F81F30E6-D97D-62DF-1D00-000000006F02}1424C:\Windows\system32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79d4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286451Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:05.666{F81F30E6-D97C-62DF-0C00-000000006F02}8522296C:\Windows\system32\svchost.exe{F81F30E6-D97C-62DF-1700-000000006F02}1320C:\Windows\system32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79d4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286450Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:05.666{F81F30E6-D97C-62DF-0C00-000000006F02}8522296C:\Windows\system32\svchost.exe{F81F30E6-D97C-62DF-1600-000000006F02}1312C:\Windows\System32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79d4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286449Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:05.666{F81F30E6-D97C-62DF-0C00-000000006F02}8522296C:\Windows\system32\svchost.exe{F81F30E6-D97C-62DF-1500-000000006F02}1228C:\Windows\System32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79d4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286448Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:05.666{F81F30E6-D97C-62DF-0C00-000000006F02}8522296C:\Windows\system32\svchost.exe{F81F30E6-D97C-62DF-1400-000000006F02}1124C:\Windows\system32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79d4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286447Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:05.666{F81F30E6-D97C-62DF-0C00-000000006F02}8522296C:\Windows\system32\svchost.exe{F81F30E6-D97C-62DF-1300-000000006F02}956C:\Windows\System32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79d4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286446Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:05.666{F81F30E6-D97C-62DF-0C00-000000006F02}8522296C:\Windows\system32\svchost.exe{F81F30E6-D97C-62DF-1200-000000006F02}780C:\Windows\system32\dwm.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79d4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286445Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:05.666{F81F30E6-D97C-62DF-0C00-000000006F02}8522296C:\Windows\system32\svchost.exe{F81F30E6-D97C-62DF-1100-000000006F02}440C:\Windows\system32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79d4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286444Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:05.666{F81F30E6-D97C-62DF-0C00-000000006F02}8522296C:\Windows\system32\svchost.exe{F81F30E6-D97C-62DF-1000-000000006F02}448C:\Windows\System32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79d4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286443Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:05.666{F81F30E6-D97C-62DF-0C00-000000006F02}8522296C:\Windows\system32\svchost.exe{F81F30E6-D97C-62DF-0F00-000000006F02}360C:\Windows\System32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79d4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286442Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:05.666{F81F30E6-D97C-62DF-0C00-000000006F02}8522296C:\Windows\system32\svchost.exe{F81F30E6-D97C-62DF-0E00-000000006F02}1016C:\Windows\system32\LogonUI.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79d4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286441Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:05.666{F81F30E6-D97C-62DF-0C00-000000006F02}8522296C:\Windows\system32\svchost.exe{F81F30E6-D97C-62DF-0D00-000000006F02}912C:\Windows\system32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79d4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286440Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:05.666{F81F30E6-D97C-62DF-0C00-000000006F02}8522296C:\Windows\system32\svchost.exe{F81F30E6-D97A-62DF-0B00-000000006F02}640C:\Windows\system32\lsass.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79d4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286439Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:05.666{F81F30E6-D97C-62DF-0C00-000000006F02}8522296C:\Windows\system32\svchost.exe{F81F30E6-D97A-62DF-0900-000000006F02}580C:\Windows\system32\winlogon.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79d4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286438Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:05.650{F81F30E6-D97C-62DF-1500-000000006F02}12281712C:\Windows\System32\svchost.exe{F81F30E6-D9BA-62DF-8200-000000006F02}2176C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+4689|c:\windows\system32\themeservice.dll+3fdd|c:\windows\system32\themeservice.dll+2870|c:\windows\system32\themeservice.dll+26d8|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286437Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:05.603{F81F30E6-D97C-62DF-0C00-000000006F02}8522296C:\Windows\system32\svchost.exe{F81F30E6-F722-62DF-6206-000000006F02}11108C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1a375|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286436Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:05.603{F81F30E6-D97C-62DF-0C00-000000006F02}8522296C:\Windows\system32\svchost.exe{F81F30E6-D97C-62DF-1700-000000006F02}1320C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+6a63|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 12241200x8000000000000000286435Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-DeleteKey2022-07-26 14:16:05.603{F81F30E6-D97A-62DF-0A00-000000006F02}632C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\WpnUserService_7f751 12241200x8000000000000000286434Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-DeleteKey2022-07-26 14:16:05.603{F81F30E6-D97A-62DF-0A00-000000006F02}632C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\WpnUserService_7f751\Security 12241200x8000000000000000286433Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-DeleteKey2022-07-26 14:16:05.603{F81F30E6-D97A-62DF-0A00-000000006F02}632C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\UserDataSvc_7f751 12241200x8000000000000000286432Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-DeleteKey2022-07-26 14:16:05.603{F81F30E6-D97A-62DF-0A00-000000006F02}632C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\UserDataSvc_7f751\Security 12241200x8000000000000000286431Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-DeleteKey2022-07-26 14:16:05.603{F81F30E6-D97A-62DF-0A00-000000006F02}632C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\UnistoreSvc_7f751 12241200x8000000000000000286430Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-DeleteKey2022-07-26 14:16:05.603{F81F30E6-D97A-62DF-0A00-000000006F02}632C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\UnistoreSvc_7f751\Security 12241200x8000000000000000286429Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-DeleteKey2022-07-26 14:16:05.603{F81F30E6-D97A-62DF-0A00-000000006F02}632C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\PimIndexMaintenanceSvc_7f751 12241200x8000000000000000286428Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-DeleteKey2022-07-26 14:16:05.603{F81F30E6-D97A-62DF-0A00-000000006F02}632C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\PimIndexMaintenanceSvc_7f751\Security 12241200x8000000000000000286427Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-DeleteKey2022-07-26 14:16:05.603{F81F30E6-D97A-62DF-0A00-000000006F02}632C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\OneSyncSvc_7f751 12241200x8000000000000000286426Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-DeleteKey2022-07-26 14:16:05.603{F81F30E6-D97A-62DF-0A00-000000006F02}632C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\OneSyncSvc_7f751\Security 12241200x8000000000000000286425Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-DeleteKey2022-07-26 14:16:05.603{F81F30E6-D97A-62DF-0A00-000000006F02}632C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\CDPUserSvc_7f751 12241200x8000000000000000286424Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-DeleteKey2022-07-26 14:16:05.603{F81F30E6-D97A-62DF-0A00-000000006F02}632C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\CDPUserSvc_7f751\Security 10341000x8000000000000000286423Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:05.588{F81F30E6-D97C-62DF-0C00-000000006F02}8522296C:\Windows\system32\svchost.exe{F81F30E6-D97A-62DF-0700-000000006F02}496C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea9f|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d41c2|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286422Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:05.588{F81F30E6-D97C-62DF-0C00-000000006F02}8524616C:\Windows\system32\svchost.exe{F81F30E6-F722-62DF-6206-000000006F02}11108C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d41c2|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286421Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:05.588{F81F30E6-D97C-62DF-0C00-000000006F02}8522296C:\Windows\system32\svchost.exe{F81F30E6-D97A-62DF-0700-000000006F02}496C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea9f|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286420Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:05.588{F81F30E6-D97C-62DF-0C00-000000006F02}8524620C:\Windows\system32\svchost.exe{F81F30E6-D97A-62DF-0700-000000006F02}496C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea9f|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286419Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:05.588{F81F30E6-D97C-62DF-0C00-000000006F02}8522296C:\Windows\system32\svchost.exe{F81F30E6-D97A-62DF-0700-000000006F02}496C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea9f|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286418Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:05.588{F81F30E6-D97C-62DF-0C00-000000006F02}8524620C:\Windows\system32\svchost.exe{F81F30E6-D9BA-62DF-8200-000000006F02}2176C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286417Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:05.588{F81F30E6-D97C-62DF-0C00-000000006F02}8524616C:\Windows\system32\svchost.exe{F81F30E6-D9BA-62DF-8200-000000006F02}2176C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+796b|c:\windows\system32\lsm.dll+2b2a|c:\windows\system32\SYSNTFY.dll+15cd|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+35708|C:\Windows\System32\RPCRT4.dll+20ee7|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286416Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:05.588{F81F30E6-D97C-62DF-0C00-000000006F02}8524616C:\Windows\system32\svchost.exe{F81F30E6-D9BA-62DF-8200-000000006F02}2176C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\SYSNTFY.dll+1ad9|C:\Windows\System32\RPCRT4.dll+33f04|C:\Windows\System32\RPCRT4.dll+21860|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286415Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:05.588{F81F30E6-D97C-62DF-0C00-000000006F02}8524620C:\Windows\system32\svchost.exe{F81F30E6-D9BA-62DF-8200-000000006F02}2176C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286414Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:05.572{F81F30E6-D97C-62DF-0C00-000000006F02}8524620C:\Windows\system32\svchost.exe{F81F30E6-D97A-62DF-0700-000000006F02}496C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea9f|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286413Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:05.572{F81F30E6-D97C-62DF-0C00-000000006F02}8524620C:\Windows\system32\svchost.exe{F81F30E6-D97A-62DF-0700-000000006F02}496C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea9f|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286412Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:05.572{F81F30E6-D97C-62DF-0C00-000000006F02}8524616C:\Windows\system32\svchost.exe{F81F30E6-D97A-62DF-0700-000000006F02}496C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea9f|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286411Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:05.572{F81F30E6-D97C-62DF-0C00-000000006F02}8524620C:\Windows\system32\svchost.exe{F81F30E6-D97A-62DF-0700-000000006F02}496C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea9f|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d41c2|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286410Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:05.572{F81F30E6-D97C-62DF-0C00-000000006F02}8524620C:\Windows\system32\svchost.exe{F81F30E6-D97A-62DF-0700-000000006F02}496C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea9f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286409Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:05.572{F81F30E6-D97C-62DF-0C00-000000006F02}8524616C:\Windows\system32\svchost.exe{F81F30E6-D97A-62DF-0700-000000006F02}496C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea9f|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286408Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:05.572{F81F30E6-D97C-62DF-0C00-000000006F02}8524620C:\Windows\system32\svchost.exe{F81F30E6-D97A-62DF-0700-000000006F02}496C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea9f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1a375|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286407Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:05.556{F81F30E6-D97C-62DF-0C00-000000006F02}8524620C:\Windows\system32\svchost.exe{F81F30E6-D97A-62DF-0700-000000006F02}496C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea9f|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286406Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:05.556{F81F30E6-D97C-62DF-0C00-000000006F02}8524620C:\Windows\system32\svchost.exe{F81F30E6-D97A-62DF-0700-000000006F02}496C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea9f|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286405Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:05.556{F81F30E6-D97C-62DF-0C00-000000006F02}8524620C:\Windows\system32\svchost.exe{F81F30E6-D97A-62DF-0700-000000006F02}496C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea9f|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286404Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:05.556{F81F30E6-D97C-62DF-0C00-000000006F02}8522296C:\Windows\system32\svchost.exe{F81F30E6-D97A-62DF-0700-000000006F02}496C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea9f|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d41c2|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286403Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:05.556{F81F30E6-D97C-62DF-0C00-000000006F02}8524616C:\Windows\system32\svchost.exe{F81F30E6-D97A-62DF-0700-000000006F02}496C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea9f|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286402Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:05.556{F81F30E6-D97C-62DF-0C00-000000006F02}8524616C:\Windows\system32\svchost.exe{F81F30E6-D97A-62DF-0700-000000006F02}496C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea9f|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286401Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:05.556{F81F30E6-D97C-62DF-0C00-000000006F02}8522296C:\Windows\system32\svchost.exe{F81F30E6-D97A-62DF-0700-000000006F02}496C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea9f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286400Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:05.556{F81F30E6-D97C-62DF-0C00-000000006F02}8524616C:\Windows\system32\svchost.exe{F81F30E6-D97A-62DF-0700-000000006F02}496C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea9f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+5d9d7|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286399Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:05.556{F81F30E6-D97C-62DF-0C00-000000006F02}8524616C:\Windows\system32\svchost.exe{F81F30E6-D97A-62DF-0700-000000006F02}496C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea9f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286398Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:05.525{F81F30E6-D97C-62DF-0C00-000000006F02}8524616C:\Windows\system32\svchost.exe{F81F30E6-D97C-62DF-1500-000000006F02}1228C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286397Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:05.525{F81F30E6-D97C-62DF-1500-000000006F02}12284136C:\Windows\System32\svchost.exe{F81F30E6-D97C-62DF-0C00-000000006F02}852C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\profsvc.dll+25ed|c:\windows\system32\profsvc.dll+2374|c:\windows\system32\profsvc.dll+1efc|c:\windows\system32\profsvc.dll+297b|c:\windows\system32\profsvc.dll+7c78|c:\windows\system32\profsvc.dll+cb98|c:\windows\system32\profsvc.dll+aa7b|C:\Windows\SYSTEM32\ntdll.dll+80a34|C:\Windows\SYSTEM32\ntdll.dll+1e8a2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286396Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:05.525{F81F30E6-D97C-62DF-1500-000000006F02}12284136C:\Windows\System32\svchost.exe{F81F30E6-D97C-62DF-1300-000000006F02}956C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\profsvc.dll+25ed|c:\windows\system32\profsvc.dll+2374|c:\windows\system32\profsvc.dll+1efc|c:\windows\system32\profsvc.dll+297b|c:\windows\system32\profsvc.dll+7c78|c:\windows\system32\profsvc.dll+cb98|c:\windows\system32\profsvc.dll+aa7b|C:\Windows\SYSTEM32\ntdll.dll+80a34|C:\Windows\SYSTEM32\ntdll.dll+1e8a2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286395Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:05.525{F81F30E6-D97C-62DF-1500-000000006F02}12284136C:\Windows\System32\svchost.exe{F81F30E6-D97C-62DF-0C00-000000006F02}852C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\profsvc.dll+25ed|c:\windows\system32\profsvc.dll+2374|c:\windows\system32\profsvc.dll+1efc|c:\windows\system32\profsvc.dll+297b|c:\windows\system32\profsvc.dll+7c78|c:\windows\system32\profsvc.dll+cb98|c:\windows\system32\profsvc.dll+aa7b|C:\Windows\SYSTEM32\ntdll.dll+80a34|C:\Windows\SYSTEM32\ntdll.dll+1e8a2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286394Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:05.525{F81F30E6-D97C-62DF-0C00-000000006F02}8524616C:\Windows\system32\svchost.exe{F81F30E6-D97C-62DF-1500-000000006F02}1228C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286393Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:05.525{F81F30E6-D97C-62DF-1500-000000006F02}12284136C:\Windows\System32\svchost.exe{F81F30E6-D97C-62DF-0C00-000000006F02}852C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\profsvc.dll+25ed|c:\windows\system32\profsvc.dll+2374|c:\windows\system32\profsvc.dll+1efc|c:\windows\system32\profsvc.dll+297b|c:\windows\system32\profsvc.dll+7c78|c:\windows\system32\profsvc.dll+cb98|c:\windows\system32\profsvc.dll+aa7b|C:\Windows\SYSTEM32\ntdll.dll+80a34|C:\Windows\SYSTEM32\ntdll.dll+1e8a2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286392Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:05.525{F81F30E6-D97C-62DF-0C00-000000006F02}8524616C:\Windows\system32\svchost.exe{F81F30E6-D97C-62DF-1500-000000006F02}1228C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286391Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:05.525{F81F30E6-D97C-62DF-0C00-000000006F02}8524616C:\Windows\system32\svchost.exe{F81F30E6-D97C-62DF-1500-000000006F02}1228C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286390Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:05.525{F81F30E6-D97C-62DF-0C00-000000006F02}8524616C:\Windows\system32\svchost.exe{F81F30E6-D97C-62DF-1500-000000006F02}1228C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286389Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:05.525{F81F30E6-D97C-62DF-0C00-000000006F02}8524616C:\Windows\system32\svchost.exe{F81F30E6-D97C-62DF-1500-000000006F02}1228C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286388Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:05.510{F81F30E6-D97C-62DF-0C00-000000006F02}8524616C:\Windows\system32\svchost.exe{F81F30E6-D97C-62DF-1500-000000006F02}1228C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286387Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:05.510{F81F30E6-D97C-62DF-0C00-000000006F02}8524616C:\Windows\system32\svchost.exe{F81F30E6-D97C-62DF-1500-000000006F02}1228C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286386Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:05.510{F81F30E6-D97C-62DF-0C00-000000006F02}8524616C:\Windows\system32\svchost.exe{F81F30E6-D97C-62DF-1500-000000006F02}1228C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286385Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:05.510{F81F30E6-D97C-62DF-0C00-000000006F02}8524616C:\Windows\system32\svchost.exe{F81F30E6-D97C-62DF-1500-000000006F02}1228C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286384Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:05.510{F81F30E6-D97C-62DF-0C00-000000006F02}8524616C:\Windows\system32\svchost.exe{F81F30E6-D97C-62DF-1500-000000006F02}1228C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286383Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:05.510{F81F30E6-D97C-62DF-0C00-000000006F02}8524616C:\Windows\system32\svchost.exe{F81F30E6-D97C-62DF-1500-000000006F02}1228C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286382Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:05.510{F81F30E6-D97C-62DF-0C00-000000006F02}8524616C:\Windows\system32\svchost.exe{F81F30E6-D97C-62DF-1300-000000006F02}956C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286381Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:05.510{F81F30E6-D97C-62DF-0C00-000000006F02}8524616C:\Windows\system32\svchost.exe{F81F30E6-D97C-62DF-1500-000000006F02}1228C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000286380Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-SetValue2022-07-26 14:16:05.510{F81F30E6-D97C-62DF-1600-000000006F02}1312C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\NlaSvc\Parameters\Cache\KnownProxylessGatewaysV4Binary Data 13241300x8000000000000000286379Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-SetValue2022-07-26 14:16:05.510{F81F30E6-D97C-62DF-1600-000000006F02}1312C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\NlaSvc\Parameters\Cache\OpportunisticInternetGatewaysV4Binary Data 10341000x8000000000000000286378Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:05.510{F81F30E6-D97C-62DF-0C00-000000006F02}8524616C:\Windows\system32\svchost.exe{F81F30E6-D97C-62DF-1600-000000006F02}1312C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286377Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:05.510{F81F30E6-D97C-62DF-0C00-000000006F02}8524616C:\Windows\system32\svchost.exe{F81F30E6-D97C-62DF-1600-000000006F02}1312C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286376Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:05.510{F81F30E6-D97C-62DF-0C00-000000006F02}8524616C:\Windows\system32\svchost.exe{F81F30E6-D97C-62DF-1600-000000006F02}1312C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286375Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:05.510{F81F30E6-D97C-62DF-0C00-000000006F02}8524616C:\Windows\system32\svchost.exe{F81F30E6-D97C-62DF-1500-000000006F02}1228C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286374Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:05.510{F81F30E6-D97C-62DF-0C00-000000006F02}8524616C:\Windows\system32\svchost.exe{F81F30E6-D97C-62DF-1500-000000006F02}1228C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286373Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:05.510{F81F30E6-D97C-62DF-0C00-000000006F02}8524616C:\Windows\system32\svchost.exe{F81F30E6-D97C-62DF-1500-000000006F02}1228C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286372Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:05.510{F81F30E6-D97C-62DF-0C00-000000006F02}8524616C:\Windows\system32\svchost.exe{F81F30E6-F722-62DF-6206-000000006F02}11108C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d41c2|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286371Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:05.510{F81F30E6-D97C-62DF-0C00-000000006F02}8524616C:\Windows\system32\svchost.exe{F81F30E6-D9BA-62DF-8200-000000006F02}2176C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+796b|c:\windows\system32\lsm.dll+2a7a|c:\windows\system32\SYSNTFY.dll+1466|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+35708|C:\Windows\System32\RPCRT4.dll+20ee7|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286370Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:05.494{F81F30E6-D97C-62DF-0C00-000000006F02}8524616C:\Windows\system32\svchost.exe{F81F30E6-D97C-62DF-1500-000000006F02}1228C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286369Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:05.494{F81F30E6-D97C-62DF-0C00-000000006F02}8524616C:\Windows\system32\svchost.exe{F81F30E6-D9BA-62DF-8200-000000006F02}2176C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286368Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:05.494{F81F30E6-D97C-62DF-0C00-000000006F02}8524616C:\Windows\system32\svchost.exe{F81F30E6-D9BA-62DF-8200-000000006F02}2176C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286367Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:05.478{F81F30E6-D97C-62DF-0C00-000000006F02}8524616C:\Windows\system32\svchost.exe{F81F30E6-D9BA-62DF-8200-000000006F02}2176C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286366Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:05.478{F81F30E6-D97C-62DF-0C00-000000006F02}8524616C:\Windows\system32\svchost.exe{F81F30E6-D9BA-62DF-8200-000000006F02}2176C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286365Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:05.478{F81F30E6-D97C-62DF-0C00-000000006F02}8524616C:\Windows\system32\svchost.exe{F81F30E6-D9BA-62DF-8200-000000006F02}2176C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+796b|c:\windows\system32\lsm.dll+2bda|c:\windows\system32\SYSNTFY.dll+152d|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+35708|C:\Windows\System32\RPCRT4.dll+20ee7|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286364Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:05.400{F81F30E6-D97C-62DF-0D00-000000006F02}912944C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2C00-000000006F02}2668C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+2d975|c:\windows\system32\rpcss.dll+30d8a|c:\windows\system32\rpcss.dll+3e3aa|C:\Windows\System32\RPCRT4.dll+6ae08|C:\Windows\System32\RPCRT4.dll+2f199|C:\Windows\System32\RPCRT4.dll+2efb3|C:\Windows\System32\RPCRT4.dll+144f4|C:\Windows\System32\RPCRT4.dll+14971|C:\Windows\System32\RPCRT4.dll+11c3d|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286363Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:05.400{F81F30E6-D97C-62DF-0D00-000000006F02}912944C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2C00-000000006F02}2668C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+2d975|c:\windows\system32\rpcss.dll+30d8a|c:\windows\system32\rpcss.dll+3e3aa|C:\Windows\System32\RPCRT4.dll+6ae08|C:\Windows\System32\RPCRT4.dll+2f199|C:\Windows\System32\RPCRT4.dll+2efb3|C:\Windows\System32\RPCRT4.dll+144f4|C:\Windows\System32\RPCRT4.dll+14971|C:\Windows\System32\RPCRT4.dll+11c3d|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000286362Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:05.322{F81F30E6-D9BD-62DF-9000-000000006F02}4688ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Local\Microsoft\PenWorkspace\DiscoverCacheData.datMD5=58FDE1A71D2ADB272DABB3A92B406559,SHA256=555933C7D5D49EBF3648EE1EF420E0C71835139B8A8DEF8FBA64C9EBE48B0C32,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000286361Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:05.260{F81F30E6-D97C-62DF-0D00-000000006F02}912944C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2C00-000000006F02}2668C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+2d975|c:\windows\system32\rpcss.dll+30d8a|c:\windows\system32\rpcss.dll+2a85c|c:\windows\system32\rpcss.dll+2d975|c:\windows\system32\rpcss.dll+30d8a|c:\windows\system32\rpcss.dll+3e3aa|C:\Windows\System32\RPCRT4.dll+6ae08|C:\Windows\System32\RPCRT4.dll+2f199|C:\Windows\System32\RPCRT4.dll+2efb3|C:\Windows\System32\RPCRT4.dll+144f4|C:\Windows\System32\RPCRT4.dll+14971|C:\Windows\System32\RPCRT4.dll+11c3d|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286360Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:05.260{F81F30E6-D97C-62DF-0D00-000000006F02}912944C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2C00-000000006F02}2668C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+2d975|c:\windows\system32\rpcss.dll+30d8a|c:\windows\system32\rpcss.dll+2a85c|c:\windows\system32\rpcss.dll+2d975|c:\windows\system32\rpcss.dll+30d8a|c:\windows\system32\rpcss.dll+3e3aa|C:\Windows\System32\RPCRT4.dll+6ae08|C:\Windows\System32\RPCRT4.dll+2f199|C:\Windows\System32\RPCRT4.dll+2efb3|C:\Windows\System32\RPCRT4.dll+144f4|C:\Windows\System32\RPCRT4.dll+14971|C:\Windows\System32\RPCRT4.dll+11c3d|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286359Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:05.260{F81F30E6-D97C-62DF-0D00-000000006F02}912944C:\Windows\system32\svchost.exe{F81F30E6-D9BD-62DF-9000-000000006F02}4688C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+2d975|c:\windows\system32\rpcss.dll+30d8a|c:\windows\system32\rpcss.dll+2a85c|c:\windows\system32\rpcss.dll+2d975|c:\windows\system32\rpcss.dll+30d8a|c:\windows\system32\rpcss.dll+3e3aa|C:\Windows\System32\RPCRT4.dll+6ae08|C:\Windows\System32\RPCRT4.dll+2f199|C:\Windows\System32\RPCRT4.dll+2efb3|C:\Windows\System32\RPCRT4.dll+144f4|C:\Windows\System32\RPCRT4.dll+14971|C:\Windows\System32\RPCRT4.dll+11c3d|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286358Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:05.260{F81F30E6-D97C-62DF-0D00-000000006F02}912944C:\Windows\system32\svchost.exe{F81F30E6-D9BD-62DF-9000-000000006F02}4688C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+2d975|c:\windows\system32\rpcss.dll+30d8a|c:\windows\system32\rpcss.dll+2a85c|c:\windows\system32\rpcss.dll+2d975|c:\windows\system32\rpcss.dll+30d8a|c:\windows\system32\rpcss.dll+3e3aa|C:\Windows\System32\RPCRT4.dll+6ae08|C:\Windows\System32\RPCRT4.dll+2f199|C:\Windows\System32\RPCRT4.dll+2efb3|C:\Windows\System32\RPCRT4.dll+144f4|C:\Windows\System32\RPCRT4.dll+14971|C:\Windows\System32\RPCRT4.dll+11c3d|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286357Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:05.260{F81F30E6-D97C-62DF-0D00-000000006F02}912944C:\Windows\system32\svchost.exe{F81F30E6-D9BD-62DF-9000-000000006F02}4688C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+2d975|c:\windows\system32\rpcss.dll+30d8a|c:\windows\system32\rpcss.dll+2a85c|c:\windows\system32\rpcss.dll+2d975|c:\windows\system32\rpcss.dll+30d8a|c:\windows\system32\rpcss.dll+3e3aa|C:\Windows\System32\RPCRT4.dll+6ae08|C:\Windows\System32\RPCRT4.dll+2f199|C:\Windows\System32\RPCRT4.dll+2efb3|C:\Windows\System32\RPCRT4.dll+144f4|C:\Windows\System32\RPCRT4.dll+14971|C:\Windows\System32\RPCRT4.dll+11c3d|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286356Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:05.260{F81F30E6-D97C-62DF-0D00-000000006F02}912944C:\Windows\system32\svchost.exe{F81F30E6-D9BD-62DF-9000-000000006F02}4688C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+2d975|c:\windows\system32\rpcss.dll+30d8a|c:\windows\system32\rpcss.dll+2a85c|c:\windows\system32\rpcss.dll+2d975|c:\windows\system32\rpcss.dll+30d8a|c:\windows\system32\rpcss.dll+3e3aa|C:\Windows\System32\RPCRT4.dll+6ae08|C:\Windows\System32\RPCRT4.dll+2f199|C:\Windows\System32\RPCRT4.dll+2efb3|C:\Windows\System32\RPCRT4.dll+144f4|C:\Windows\System32\RPCRT4.dll+14971|C:\Windows\System32\RPCRT4.dll+11c3d|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286355Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:05.260{F81F30E6-D97C-62DF-0D00-000000006F02}912944C:\Windows\system32\svchost.exe{F81F30E6-D9BD-62DF-9000-000000006F02}4688C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+2d975|c:\windows\system32\rpcss.dll+30d8a|c:\windows\system32\rpcss.dll+3e3aa|C:\Windows\System32\RPCRT4.dll+6ae08|C:\Windows\System32\RPCRT4.dll+2f199|C:\Windows\System32\RPCRT4.dll+2efb3|C:\Windows\System32\RPCRT4.dll+144f4|C:\Windows\System32\RPCRT4.dll+14971|C:\Windows\System32\RPCRT4.dll+11c3d|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286354Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:05.260{F81F30E6-D97C-62DF-0D00-000000006F02}912944C:\Windows\system32\svchost.exe{F81F30E6-D9BD-62DF-9000-000000006F02}4688C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+2d975|c:\windows\system32\rpcss.dll+30d8a|c:\windows\system32\rpcss.dll+3e3aa|C:\Windows\System32\RPCRT4.dll+6ae08|C:\Windows\System32\RPCRT4.dll+2f199|C:\Windows\System32\RPCRT4.dll+2efb3|C:\Windows\System32\RPCRT4.dll+144f4|C:\Windows\System32\RPCRT4.dll+14971|C:\Windows\System32\RPCRT4.dll+11c3d|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000286353Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:16:05.213{F81F30E6-D9BD-62DF-9000-000000006F02}4688ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Local\IconCache.dbMD5=92E31828AC57FE1C5B7AC7845824B50E,SHA256=F4B2D0D45CA04C04DE05536B8C5BE20630E959D537C219FF8CFA515C5966D1C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055696Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:16:06.759{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C836EF913C7DEB0300145AA1DBF1B54,SHA256=4E011E86AD2570DDF6FDC12B176473346EAC4D448C909E97018194E62981A052,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000055698Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:16:06.255{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal51195-false10.0.1.12-8000- 23542300x800000000000000055697Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:16:07.853{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35F399B2106A92E35DA0FC2258DC8242,SHA256=280B6A953D954FF378D914F5A69DB83894825984F86415290310FB0B25B4DEDE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055699Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:16:08.946{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3338AF91ACA7516EB95D42340D189E0,SHA256=1EAC880DFFE22EBE7DCD620E99B69407D03590A8790D05A5F2BAC76AD966EAC3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055700Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:16:10.040{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4EF03E52AD6CF16272894E1397B39B7,SHA256=AA8C6D5A6E0425036DC69E10B605C3DA973501316B1221C24B7A8F428D196507,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055701Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:16:11.134{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48B4FBE66AB5CC9DF17FE44A3D1D06ED,SHA256=4070B3AEE730608C3AE3CC3D05A1DD751AEF0FEF554AD3CBB0DB0566B76D2A8E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000055730Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:16:12.946{53069400-F72C-62DF-F003-000000007002}34483596C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055729Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:16:12.774{53069400-D97E-62DF-2900-000000007002}27802800C:\Windows\system32\conhost.exe{53069400-F72C-62DF-F003-000000007002}3448C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055728Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:16:12.774{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055727Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:16:12.774{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055726Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:16:12.774{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055725Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:16:12.774{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055724Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:16:12.774{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055723Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:16:12.774{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055722Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:16:12.774{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055721Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:16:12.774{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055720Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:16:12.774{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055719Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:16:12.774{53069400-D97C-62DF-0500-000000007002}412540C:\Windows\system32\csrss.exe{53069400-F72C-62DF-F003-000000007002}3448C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000055718Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:16:12.774{53069400-D97D-62DF-1E00-000000007002}19402768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53069400-F72C-62DF-F003-000000007002}3448C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000055717Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:16:12.775{53069400-F72C-62DF-F003-000000007002}3448C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{53069400-D97C-62DF-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000055716Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:16:12.274{53069400-F72C-62DF-EF03-000000007002}33403832C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000055715Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:16:12.228{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21A8BEA69AD4C10855685D5AE8E7D7CF,SHA256=D93415D3B09DE9C3E40EACE89BAD0E5B3F12E05F03B4B177539E0F1381C2327C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000055714Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:16:12.103{53069400-D97E-62DF-2900-000000007002}27802800C:\Windows\system32\conhost.exe{53069400-F72C-62DF-EF03-000000007002}3340C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055713Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:16:12.103{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055712Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:16:12.103{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055711Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:16:12.103{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055710Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:16:12.103{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055709Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:16:12.103{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055708Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:16:12.103{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055707Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:16:12.103{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055706Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:16:12.103{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055705Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:16:12.103{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055704Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:16:12.103{53069400-D97C-62DF-0500-000000007002}412540C:\Windows\system32\csrss.exe{53069400-F72C-62DF-EF03-000000007002}3340C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000055703Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:16:12.103{53069400-D97D-62DF-1E00-000000007002}19402768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53069400-F72C-62DF-EF03-000000007002}3340C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000055702Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:16:12.103{53069400-F72C-62DF-EF03-000000007002}3340C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53069400-D97C-62DF-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000055746Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:16:13.446{53069400-D97E-62DF-2900-000000007002}27802800C:\Windows\system32\conhost.exe{53069400-F72D-62DF-F103-000000007002}3852C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055745Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:16:13.446{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055744Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:16:13.446{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055743Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:16:13.446{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055742Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:16:13.446{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055741Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:16:13.446{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055740Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:16:13.446{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055739Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:16:13.446{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055738Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:16:13.446{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055737Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:16:13.446{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055736Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:16:13.446{53069400-D97C-62DF-0500-000000007002}412540C:\Windows\system32\csrss.exe{53069400-F72D-62DF-F103-000000007002}3852C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000055735Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:16:13.446{53069400-D97D-62DF-1E00-000000007002}19402768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53069400-F72D-62DF-F103-000000007002}3852C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000055734Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:16:13.447{53069400-F72D-62DF-F103-000000007002}3852C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53069400-D97C-62DF-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000055733Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:16:13.321{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88306B68377992CF1F990D7D8D624403,SHA256=4FA2A2C9CFA53A7F0343103B62F8C9279CEFB8ACFC77600AFFB0E200D7411310,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055732Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:16:13.243{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EC682F07D31AC1DA3BA49C89490DFF6D,SHA256=E7C6E7FEC69052EC40DF1A436D7F3391B604D35979F8B621100DBBA8106E0834,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000055731Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:16:11.267{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal51196-false10.0.1.12-8000- 10341000x800000000000000055774Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:16:14.774{53069400-D97E-62DF-2900-000000007002}27802800C:\Windows\system32\conhost.exe{53069400-F72E-62DF-F303-000000007002}3344C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055773Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:16:14.774{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055772Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:16:14.774{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055771Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:16:14.774{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055770Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:16:14.774{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055769Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:16:14.774{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055768Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:16:14.774{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055767Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:16:14.774{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055766Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:16:14.774{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055765Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:16:14.774{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055764Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:16:14.774{53069400-D97C-62DF-0500-000000007002}4121248C:\Windows\system32\csrss.exe{53069400-F72E-62DF-F303-000000007002}3344C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000055763Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:16:14.774{53069400-D97D-62DF-1E00-000000007002}19402768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53069400-F72E-62DF-F303-000000007002}3344C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000055762Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:16:14.777{53069400-F72E-62DF-F303-000000007002}3344C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53069400-D97C-62DF-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000055761Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:16:14.774{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=212EDBD00A25E655AACB800FA252CADA,SHA256=593866C42355526A7204064690EB6685642AC132A135FD9E6889C31E781AB8CE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000055760Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:16:14.290{53069400-F72E-62DF-F203-000000007002}14122788C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055759Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:16:14.118{53069400-D97E-62DF-2900-000000007002}27802800C:\Windows\system32\conhost.exe{53069400-F72E-62DF-F203-000000007002}1412C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055758Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:16:14.118{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055757Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:16:14.118{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055756Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:16:14.118{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055755Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:16:14.118{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055754Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:16:14.118{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055753Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:16:14.118{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055752Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:16:14.118{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055751Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:16:14.118{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055750Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:16:14.118{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055749Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:16:14.118{53069400-D97C-62DF-0500-000000007002}412428C:\Windows\system32\csrss.exe{53069400-F72E-62DF-F203-000000007002}1412C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000055748Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:16:14.118{53069400-D97D-62DF-1E00-000000007002}19402768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53069400-F72E-62DF-F203-000000007002}1412C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000055747Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:16:14.119{53069400-F72E-62DF-F203-000000007002}1412C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53069400-D97C-62DF-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000055802Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:16:15.915{53069400-D97E-62DF-2900-000000007002}27802800C:\Windows\system32\conhost.exe{53069400-F72F-62DF-F503-000000007002}3704C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055801Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:16:15.915{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055800Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:16:15.915{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055799Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:16:15.915{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055798Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:16:15.915{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055797Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:16:15.915{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055796Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:16:15.915{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055795Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:16:15.915{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055794Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:16:15.915{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055793Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:16:15.915{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055792Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:16:15.915{53069400-D97C-62DF-0500-000000007002}4121248C:\Windows\system32\csrss.exe{53069400-F72F-62DF-F503-000000007002}3704C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000055791Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:16:15.915{53069400-D97D-62DF-1E00-000000007002}19402768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53069400-F72F-62DF-F503-000000007002}3704C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000055790Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:16:15.917{53069400-F72F-62DF-F503-000000007002}3704C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53069400-D97C-62DF-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000055789Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:16:15.915{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B5FBC60008AFA9B9B78111BCDB49C31,SHA256=07204255438859C4794E8024D3B7444F7C422BD669E33EB772D256C5B93F0C3E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000055788Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:16:15.274{53069400-D97E-62DF-2900-000000007002}27802800C:\Windows\system32\conhost.exe{53069400-F72F-62DF-F403-000000007002}2560C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055787Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:16:15.274{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055786Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:16:15.274{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055785Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:16:15.274{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055784Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:16:15.274{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055783Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:16:15.274{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055782Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:16:15.274{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055781Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:16:15.274{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055780Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:16:15.274{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055779Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:16:15.274{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055778Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:16:15.274{53069400-D97C-62DF-0500-000000007002}4121248C:\Windows\system32\csrss.exe{53069400-F72F-62DF-F403-000000007002}2560C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000055777Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:16:15.274{53069400-D97D-62DF-1E00-000000007002}19402768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53069400-F72F-62DF-F403-000000007002}2560C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000055776Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:16:15.275{53069400-F72F-62DF-F403-000000007002}2560C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53069400-D97C-62DF-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000055775Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:16:14.993{53069400-F72E-62DF-F303-000000007002}3344968C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000055804Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:16:17.228{53069400-D97D-62DF-1E00-000000007002}1940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=DA608D891D8C79DD8548E44A744300F7,SHA256=BBC258564EC7A355D75ED0B4F56B1CCEF982682843A50C1A558ABC7AAFF16265,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055803Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:16:17.056{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BBA5CF6DA636906B899AF926D71033B,SHA256=A7DBCDC623796460DC8CF145389A2D23DE4DB16C8E96584731A1B481A4CCD040,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055805Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:16:18.149{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9DA5058D51BA2BF19A5687368979B6E9,SHA256=03495E15EF773AC84CC0AE413DCC3F3B7952009A6A2ED28CB2EDF485F7F1A038,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000055807Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:16:17.220{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal51197-false10.0.1.12-8000- 23542300x800000000000000055806Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:16:19.243{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D90B0A54AEC049BA9469372D5D6AEBE,SHA256=6EECFCFE8E3563C42084AF9A8EAE00FC1B351E615581BEA98416CDB98310C504,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055808Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:16:20.337{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F133A997A0E5835A2B07DCE4CFF8FCB,SHA256=EB6EB8452110579BBE0644150E5C1C37FCB1C273AEB57475E2C5E49976088C37,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055809Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:16:21.431{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9D4FF23F42BBA7BE797C2F0D17EEB4E,SHA256=DE2EB3D7C2C38A5E25E49E4737C1644B472920AAB69D886F5B123E533F0EEB56,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055810Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:16:22.524{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0CC4A842914E3D854AE120493A30EE39,SHA256=470896EBD92BB338677C718B3D71FF13EA2E86BA90C30495976817847BA3E1F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055811Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:16:23.618{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9EA7969467799DEA7AABC24802A05F38,SHA256=59EB3F8A99BBC1ACD5B21730449E0ED7476A8E317304B67D31E2090876755508,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055813Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:16:24.712{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9BF44E10A3996E6785744669F8457C6,SHA256=D1407CB302E8F7585BEB50159EA4BA4793F3AB5F309BAE123F185BA028212650,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000055812Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:16:22.267{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal51198-false10.0.1.12-8000- 23542300x800000000000000055814Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:16:25.806{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99B7F53A90828EC5C52F958FB2FEF1F9,SHA256=E4C93C370B25BF6843DD26E66F363731F4E300EB954AAD5B87FB34BE72BC5619,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055815Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:16:26.899{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5A7C8AA3FD7164C0C02A203B67DF133,SHA256=0003BA39E748931294579498E310CEC6D0BF487B2FBE441A3EC70155F17E7C42,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055816Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:16:27.993{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7AAB78664877092817A39A94768AC1BA,SHA256=4E50FE279EA8DFBCE74D2DB207F48E312E23B6BB655940D2B48C2AFEAC15C861,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055817Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:16:29.087{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75B834DEC3D87B7F98E14992EAFC8D42,SHA256=895DE3F236BB4D68257A9EE827606AAC298B84E89E9FFBF1A7E248A09D371431,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000055819Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:16:28.173{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal51199-false10.0.1.12-8000- 23542300x800000000000000055818Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:16:30.181{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91C8C7BF74496CA7E9E23430DB5131E2,SHA256=FB637036E75F7F8E8444226CDF975B46F9FCD5887879F549415BE9B413477DD9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055820Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:16:31.274{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EBDC1EA457F1258FBC96A9510ABC73CD,SHA256=B8E35B818A019B24D008279BA72A99F9B824CB89860435C18F0F54A6E8059F1E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055821Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:16:32.368{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E1AB01D430B75793A6C20C9410743F1,SHA256=7D8FFAA292A2F870CBC6378268122347A2EEF676D06B3E5118BC1C9AAED7EC9E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055822Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:16:33.571{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD37061BA01FC544A6CEA77A703830A3,SHA256=93224A9A3037A6DC88CFE8B917E32D074E597AEB9F404A05EA79C2AFFA9E7B96,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055823Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:16:34.134{53069400-D97D-62DF-1100-000000007002}980NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=5ECA281572C9CE29FBE7F74B267E68D0,SHA256=DA21A93D233587A902C6FACB460AEB5831583DDFD912D86663303BC2E4F71ED4,IMPHASH=00000000000000000000000000000000falsetrue